In many ways, the new CISO is the bridge in communication between the technology and business executives, who often speak different languages. Having a CISO with the technical background who is able to translate technology into risk allows for the CRO to have a more effective impact on the perceptions of the board.
Why controversy over the shift?
That all sounds nice and very kumbaya-like, so why then has there been some controversy over the shift?
"The reality is that from an execution point of view, security is about technical execution," said Grossman. "When it all gets boiled down, at the heart of it is technology. Separating it can potentially create conflicting goals between risk/infosec and technology."
But, if it’s done properly and everyone is playing nicely in the sandbox, it should work. Grossman said, "The goal is to manage security in a more effective way. It’s all about everybody marching to the same drummer. Bringing together all the silos in the business so that there are no silos. Everyone has the same common goals and metrics of what the business is trying to achieve."
Changing the hard wiring of people, though, can be a formidable challenge. "Shifting people with risk mindsets to info sec is a lot easier than shifting those with technology to a risk mindset," Grossman said.
Still, the hardest thing to overcome overall is human behavior. "No matter what you do from technological point of view, companies make it hard for users to do things, but the secure way is the technical way," said Grossman.
Christiansen said that the CRO is going to have broader responsibilities. "Now it's not just worrying about the physical but the information risk. Because of those fundamental differences in their roles, it makes for a fundamental clash."
When reporting to the CIO, there were more peer level conversations."If the CISO is no longer reporting to them, they start excluding them. The CISO might not be invited to meetings where they are talking about strategy," said Christiansen.
As a result, making sure they stay engaged in IT could be a challenge for the new CISO. If the shift will result in the CISO having less hands-on understanding of the technology, why is the shift happening?
Todd Fitzgerald, CISO at Grant Thornton said, "I think it’s happening because boards are starting to understand that security is another risk to an organization. It's not really just an IT issue. The impact that cybersecurity incidents can have on the organization has put it in the same class as other risks to the organization because it can be just as damaging."
Certainly, when they move security away from the CIO, the CISO is not as aware of the IT initiatives that are going on, and that’s one down side that everyone needs to be mindful of. The CIO shouldn't make the CISO feel that they're not on that team anymore, even though in many ways they are now getting information from an external view.
Sign up for CIO Asia eNewsletters.