Security By Design- Part 13

My blog posts here mostly focus on the complexity of systems supporting business operations, the complicating factors of our reliance on the Internet for business communications and commerce, the extended risk and value chain of multiple layers of suppliers and customers engaged with our businesses, and the roles and methods of managing information security management in large and small interconnected businesses.  Today I am going to focus narrowly on the role of the Chief Information Security Officer (CISO).

I have been engaged in information technology for enough years to have witnessed the birth of the role of the Chief Information Security Officer.  In the early days of my career, we did not have such a role in an IT organization.  We had roles for Security Managers reporting to the Chief Information Officer (CIO) or Chief Technology Officer (CTO) and even lower in the hierarchy of Information Technology organizational structures. Indeed, I was once designated Security Manager for a large aerospace company back in the long-ago times of the 1980s.  In another stage of my career, I served as an SVP level Chief Security Officer for a large multi-national outsourcing firm with multiple CISOs and Security Officers (SOs) reporting to me. The reason I am turning to the CISO role today is that I recently read an article which declared that:

“To put it bluntly, the CISO role is dead.”

Quite a striking comment, especially if you hold a CISO title in an organization today.   Normally when I include someone else’s words in one of my posts I include an attribution to that person as the source or author.  In this case, the article was attributed to an online forum for a for-profit company, not an individual author, and I have chosen not to provide pro bono advertising.

When I read this comment, it caught my attention.  “The CISO role is dead” is a strong statement that resonates with what I am seeing and experiencing today in many organizations.  Maybe the CISO role has outlived its purpose or is now facing a need to evolve.

The threats and risks our businesses face today are at the highest level of systemic digital risk I have experienced in my +45 years in the Information Technology industry.

&

Information Technology organizations no longer control all the information technology devices and systems in use in their organizations today.

Maybe it is time for the CISO role to evolve or morph into something new, a role that truly addresses the need for a holistic approach to managing systemic information risk inherent in our complex digital systems.  If so, what should this new role look like?  Is it time to break out of the Information Technology organizational driven focus of Information Security and elevate a company’s focus on and treatment of Information Security Risk?  Should this role be a part of an Information Technology function, or should it be part of a broader approach to managing business risk and reside elsewhere in a business organization?

IT Risk = Business Risk

If we accept that all IT risk is Business Risk, then we should logically accept that managing information risk should not reside solely within an information technology organization.  Thus, I propose that two changes are needed to adequately address the inherent systemic risk in our complex digital systems.  The first is a new role.  The second is that the new role should not be placed inside the Information Technology organization.

Digital Risk and Resilience Officer

This role, Digital Risk and Resilience Officer (DRRO), should be part of a business’s Enterprise Risk Management (ERM) function and may or may not exist as the only senior role addressing information risk and  security. I envision that many information Technology organizations may elect to maintain a traditional Chief Information Security Officer (CISO) role solely focused internally within the IT organization.  If so, I suggest that the role should no longer be called a “Chief” role, but rather be titled as an Information Security Officer role.  As many business organizations already embrace Enterprise Risk Management and have a senior leadership role for a Chief Risk Officer (CRO), I envision that the emerging DRRO role would report to the Chief Risk Officer and collaborate with both the CRO and the IT Information Security Officer (ISO).  The Digital Risk and Resilience Officer role should represent a significant evolution in purpose, responsibility, and vision for dealing with the threats and systemic risks our businesses now face every day.

I would encourage you all to think about the potential of a Digital Risk and Resilience Officer role and focus on an evolution needed in Information Security which will be more encompassing and vital to the success of your business’s future.

In my next blog post, I will expand on my thoughts concerning a Digital Risk and Resilience Officer role.

Joseph F. Norton is a Risk, Security, and Crisis Management professional.

He is a founding member and Qualified Technology Executive of the Digital Directors Network, Chair of the Advisory Board with Next Era Transformation Group, and Chief Security Officer with APF Technologies.

He has served as Chief Security Officer, SVP at Atos, Chief Technology Officer and Head of Operations, SVP at Philips, Chief Technology Officer, SVP at Novartis, Executive-in-Residence with McKinsey & Company, and Chief Technology Officer at McDonald’s.  He has also held professional roles during his career with JPMorgan Bank, Oracle, Sybase and Grumman Aerospace Corporation, and the United States Navy.