The rise and fall and rise of the CSO

April 27, 2018

EXECUTIVE SUMMARY:

Given the prevalence and intensity of cyberattacks on business, the CISO/CSO’s role is arguably one of the most critical. Yet, judging from articles published this week about the c-suite and shifts in influence, it remains to be seen if the role is getting the recognition it deserves.

As we reported yesterday, budget authority for CISOs and CIOs has declined, according to an Accenture study. However, according to The Wall Street Journal, CISOs are breaking out from the organizationAL structure, where they have reported to CTOs or CIOs, to have more autonomy and oversight.

“Today, by giving CISOs a broader view and better negotiating power across the organization, companies are acknowledging the growing importance of cyber risk and addressing a potential conflict of interest between technology heads and the security personnel who may have different priorities,” reports The Wall Street Journal.

But apparently, that view is not shared by all. Terena Bell writes in CIO that as the c-suite expands, some are questioning the point of multiple types of technology chiefs.

Those in favor of the traditional approach, where the CISO is tucked in under the CIO or CTO, argue that it’s simply unnecessary to add individual chiefs of security, or risk, or data. The CIO understands the directives and needs of the CEO and can manage across the technology work groups and convey the big-picture rundown.

Those opposed to putting the CISO in a sub-level structure, however, believe that the cybersecurity issues that exist today are partly because security hasn’t had enough top-level attention. It can’t be treated as just an IT problem. It’s far bigger than that. And, organizations cannot afford to have details related to cybersecurity glossed over or swept aside.

Quoting Anthony Belfiore, chief security officer for insurance company Aon PLC, The Wall Street Journal writes, “You need to make sure that your heads of security are on equal footing with the heads of tech, otherwise there is an inherent conflict at play.” As an example, Belfiore told The Wall Street Journal that such conflict can include concerns around the CISO not having authority to influence projects driven by the CIO if there are security concerns.

That kind of tension appeared to play out with Facebook’s outgoing CISO, Alex Stamos. As he worked to implement tighter security, he reportedly ruffled some feathers.

“Support from top executives can alleviate the struggles of pushing tough initiatives, a problem CISOs often face, said Don Welch, chief information security officer of Pennsylvania State University,” writes The Wall Street Journal.

Regardless of whom the CSO reports to, it seems everyone agrees that security can’t be buried and organizational culture and communication is key to making that happen.

Get the full story at The Wall Street Journal.