Security By Design-
Part 14

I began my last blog post by quoting from a business forum I had read:

“To put it bluntly, the CISO role is dead.”

And I closed my last post saying that I would encourage you all to think about the potential of a Digital Risk and Resilience Officer role and focus as an evolution needed in Information Security which will be more encompassing and vital to the success of your business’s future. 

Some of you who read my last post may have dismissed my comment as out of hand.  Others may have read a bit deeper into my comments and your reaction, at least internally, were that Joe has no clue what he is talking about. Just maybe, one or two of you may have thought about my comments and said to yourself, he may be onto something.

I do not claim to have all the clues, but I can assure you that throughout my career I have prided myself in working hard to ensure I had at least half a clue concerning what was going on around me in my professional domain. 

It is a fair bet for me to say again today that:

The threats and risks our businesses face today are at the highest level of systemic digital risk I have experienced in my 45+ years in the Information Technology industry.

&

Information Technology organizations no longer control all the information technology devices and systems in use in their organizations today.

Let me take this one step further:

“Never in the history of modern business operations has there been a risk domain as impactful as Information Technology.  Information Technology and Digital Business Systems are the only risk domain which can bring my company’s business operations to a complete standstill in an instant!”

This is a quote from a discussion I recently had with the head of Enterprise Risk Management for a multi-billon dollar business.  My conversations during the past year with many Chief Risk Officers, Enterprise Risk Managers and Chief Information Security Officers have all led me to form my opinion that it is time to start thinking about and acting on the notion that the CISO role as we know it today is past its shelf life, and it is time to seriously embrace a Digital Risk and Resilience Officer role.

The CISO role as we know it today is past its shelf life.

It is time to embrace the

Digital Risk and Resilience Officer role.

The traditional CISO role is intended to address the protection of an organization’s information technology, digital business systems, and data from attacks. This is often focused on external threats and can also include controls to address internal misuse of information systems and data.  This is a narrow focus given the widespread use of digital systems, data, communications and workplace technologies in use throughout businesses, their customer chains and supply chains. While cybersecurity risk management focuses on cyber threats and recovery of information technology systems, it is a focus which rarely addresses the impacts to the rest of a business organization.

Enterprises Risk Management acknowledges cybersecurity threats and risks, but sees these risks through a CISO’s eye, usually not through the eyes of your business.  I have found it rare when speaking with ERM leaders and Chief Risk Officers to find a fully integrative understanding of the true extent of digital disruption impacts and the need for a business integrative approach to ensure digital resilience when recovering from such business disruptions.

Another impediment to embracing Digital Resilience, a required new core competence, is what I call grade / position inflation in cybersecurity. Prior to 1995, I do not think there was any role in business for information technology entitled Chief Information Security Officer. There were roles in the 1970’s and 1980’s for information technology security and the role of information technology security manager was common.  Steve Katz is credited as the first person appointed to a Chief Information Technology Officer role by Citi Bank in 1995 after Citi Bank suffered a series of successful cyber security attacks by Russian hackers. In the 1990’s and into the early 2000’s it was common to have an information technology security manager role reporting to a Chief Information Officer or a Chief Technology Officer.  This role was often filled by a manager or director level position.  As the frequency of cybersecurity attacks escalated through the 2000’s, and business impacts became larger, we begin to see the escalation of information technology security managers to higher grade levels.  There was something Darwinian about the escalation of security managers to Chief Information Security Managers and further to Director and Officer roles. Today it is not uncommon to see CISO roles as Vice Presidents or Senior Vice Presidents reporting to Chief Information Officers and even to reporting lines directly to business Chief Executive Officers.  Raising the position and salary levels of CISOs does not directly translate to significantly improved cybersecurity or digital resilience. Organization performance, in my experience, even for cybersecurity and digital resilience, is primary driven by organizational culture, strong governance, professional competence and employing a right role, right person approach.

Right Role, Right Person, Right Positioning

It is a given that the complexity of digital systems integrating a business’s operations internally, as well as externally with a business’s customer chains and supply chains increase risk and the potential for catastrophic business disruptions.  We all know this.  Risk Management is one of the five pillars of organizational governance.  I have spoken extensively in previous posts about risk management practices. Identifying risks is the easy part of risk management.  Business Digital Resiliency practices, not just information technology recovery practices, are hard to plan for and implement.  Business Digital Resiliency success requires a true integration of a new role at a very senior level in Organization Governance and Enterprise Risk Management.  I believe the next evolution of roles in Cybersecurity requires the adoption of a Digital Risk and Resilience Officer role which reports to the Chief Risk Officer / Enterprise Risk Management role in business organization.  I do not envision the DRRO role as an information technology role.  This would be a role with creates a career path for the “graduation” of a CISO into a business focused role, while maintaining the role for IT Information Security Officer (IT ISO) role within the information technology organization.

A Very Simple Equation

My arriving at my realization for a Digital Risk and Resilience Officer role can be summarized as follows: 

• Chief Risk Officer is a full-time role / Head of ERM is a full-time role.
• CISO / ISO role is a full-time role.
• CISO/ISO attention to Digital Risk and Resilience is a part-time role.
• Digital Risk and Resilience calls for full-time attention given the potential for catastrophic business disruption impacts.
• Thus … Digital Risk and Resilience should be a full-time role.
• While maintaining the traditional Information Security Officer / Manger role.

The CISO / ISO role is not dead!  It is time to embrace a new and improved role focused on

Digital Risk and Resilience.

The Digital Risk and Resilience Officer role should represent a significant evolution in purpose, responsibility and vision for dealing with the threats and systemic risks our businesses now face every day.  I again encourage you all to think about the potential of a Digital Risk and Resilience Officer role and focus as an evolution needed in Information Security which will be more encompassing and vital to the success of your business’ future.  

In my next bog post, I will expand on what this might mean to CRO/ERM + DRRO integrative business approach to Enterprise Digital Risk and Resiliency.

Joseph F. Norton is a Risk, Security, and Crisis Management professional.

He is a founding member and Qualified Technology Executive of the Digital Directors Network, Special Advisor for Risk and Cybersecurity to DivIHN, Chair of the Advisory Board with Next Era Transformation Group, and Chief Security Officer with APF Technologies.

He has served as Chief Security Officer, SVP at Atos, Chief Technology Officer and Head of Operations, SVP at Philips, Chief Technology Officer, SVP at Novartis, Executive-in-Residence with McKinsey & Company, and Chief Technology Officer at McDonald’s.  He has also held professional roles during his career with JPMorgan Bank, Oracle, Sybase and Grumman Aerospace Corporation, and the United States Navy.