Will the CISO surpass the CIO?

Will the CISO surpass the CIO?

This is a contributed piece by J.J. Guy, senior director of cloud engineering at Carbon Black

In recent times many security leaders in organisations were promoted from a mid-tier manager to the CISO. Security was considered as “just one more job” of the IT department, so the manager who owned security took the CISO title but continued to report to the more senior CIO.

As businesses learned security was more about overall business risk than simply a function of technology, the reporting chain for CISOs started to move outside the CIO’s organisation and CISOs began reporting to the CEO, CFO or COO. 

It was a mistake when CIOs created the CISO role and then moved it out of their organisation. Collectively, CIOs missed an opportunity to take responsibility for security when the CISO role was created. If CIOs had taken ownership of security and evolved their organisations, there would have been no need to distinguish them from CISOs, let alone create two separate organisations: one for IT and one for security.

This evolution is still underway but we will soon see another shift: the CIO will increasingly report to the CISO.

CISOs are operationalising their information security programmes, transforming security from a checkbox product the CIO bought from a vendor into an operation that combines products, people and processes. Those operations are gaining discipline and rigor from a painful but effective feedback loop, thanks to constant testing by attackers. CISOs are discovering the IT basics such as network management, asset management and patching are critical to secure operations, but in many organisations they are poorly managed. 

As WannaCry and Petya have acutely demonstrated, there were millions of machines both unpatched for weeks and with SMB open to the world. Patching is hard and open SMB is silly, but unpatched systems with open SMB is gross negligence – and this is just one recent and high-profile exampleIt is impossible to secure an enterprise network when the organisation can’t handle the basic blocking and tackling of IT.

To secure their networks, enterprises must begin operationalising their IT programmes, growing discipline as strong as their security operations teams. As realisation of this truth grows, we will see the shift: the CISO will own not just the security functions, but all the core infrastructure – networks, devices and operating systems. The CIO will own the business processes - the core value of IT making the business more efficient. The CISO owns the core infrastructure that makes the network run, the CIO owns the applications that run on that infrastructure and the business processes they support.

Today’s titles won’t make sense at that point. The position we call CISO today will be something more similar to the Chief Information Operations Officer, to reflect his duty to operationalising both the IT and security programmes, with the 24/7 operational rigor required to maintain security and availability. He’ll have something like three direct reports: the operations centre, the enterprise applications team and a compliance team.

The next major step in security is growing the same discipline in our IT operations that we have in our security operations. You cannot fix the problem by simply buying a new next-generation product, or a new deep learning artificial intelligence gizmo. It takes a combination of people, processes and products. The organisation must be constantly improving. No vendor’s product can overcome your team’s lack of operational discipline.

CISOs with mature security operations teams have already recognised this; their teams have the momentum built and are gaining rigor daily. However, they are building security programmes on top of the core IT infrastructure. The overall security of your network is only as good as the weaker of your security and IT programmes.  The value of new investment in security operations will decline unless the IT operations also mature.

Of course, this organisation looks much like the one we had 10 years ago: the CIO and his team. Except now we recognise security and an operational culture are critical components to the CIO’s role, something that was not widely recognised before. Perhaps the simplest answer is we return to the original org chart, but with a more acute understanding of responsibilities. Today’s “CISOs” get promoted to “CIO” and we return to one “technology CxO” in the executive team.

Alternatively, the situation could also be summarised as “the CISO should never have reported to anyone but the CIO”, or, “the CISO should not exist” is another potential interpretation.

We are still very early in the development of security as an independent corporate discipline with board-level visibility.  Many organisations have not yet prioritised security to this level, and there is a lot of diversity amongst those that have.

Whatever organisational construct fits your company, note that operationalising security is more important than compliance and oversight activities. Furthermore, operational maturity must be applied not only to security-specific activities, but also the traditional IT activities.

However it shakes out, it will be fun to watch unfold – and our networks will continue to get more secure as a result.


«Emerging markets need to catch-up on high skill programming


How might blockchain-enabled IoT work in practice?»
IDG Connect

IDG Connect tackles the tech stories that matter to you

Our Case Studies

IDG Connect delivers full creative solutions to meet all your demand generatlon needs. These cover the full scope of options, from customized content and lead delivery through to fully integrated campaigns.


Our Marketing Research

Our in-house analyst and editorial team create a range of insights for the global marketing community. These look at IT buying preferences, the latest soclal media trends and other zeitgeist topics.



Should the government regulate Artificial Intelligence?