Chief information security officers have a lot on their plate. Between data protection, malware detection, compliance regulations, social media security, mobile device management (MDM) and many more areas that fall into the realm of the security team, the chief information security officer (CISO) is obliged to wear many hats each day.
A recent survey by IBM highlighted this multitude of CISO responsibilities. In the report, Finding a strategic voice: Insights from the 2012 IBM Chief Information Security Officer assessment(.pdf), IBM said the ideal CISO must “assume a business leadership position and dispel the idea that information security is a technology support function. Their purview must encompass education and cultural change, not just security technology and processes. Leaders will need to reorient their security organizations around proactive risk management rather than crisis response and compliance. And the management of information security must migrate from discrete and fragmented initiatives to an integrated, systemic approach.”
That’s a tall order, and trying to accomplish it all could lead to CISO burnout. It’s not so much that there’s too much to do (although there is). The real problem causing CISOs to reach for the Pepto Bismol is there are too many conflicting demands coming at them from different angles.
But changes to the CISO role may be on the way, according to Jon Olstik, a security analyst at research firm Enterprise Strategy Group. Olstik believes the CISO function will naturally and of necessity divide into two roles: CSO and CISTO.
The chief security officer (CSO) will focus on the intersection of risk and business. The CSO will deal with compliance and legal issues, and be the person who goes before the board of directors to explain the expected return on a $1 million security investment.
The chief information security technology office (CISTO) will focus on IT security architecture and infrastructure. The CISTO will handle security controls, including monitoring and reporting the company’s defenses.
Olstik sums it up like this: CSOs create cybersecurity policies; CISTOs enforce them.
Allocating responsibilities in this way will probably be greatly appreciated by today’s overburdened CISOs. Training programs could focus on the two different career paths, and security professionals could aspire in the direction that best suits their personalities and skills.