When I was doing my MBA at BGSU just before the Internet
bubble started, the world of Information Technology was just starting to
explode. As far as I remember, Microsoft
kept coming out with new versions of Windows, as well as their Office line of
products.
E-mail was easier to use, with the likes of Eudora (thus
effectively getting rid of the UNIX based Email approach) was getting popular,
and heck even Netscape and their browser were starting to take off, which
started the battle with Internet Explorer.
The main ISP at the time was AOL, and I think I even used
that for the next decade until high-speed broadband came out. The IT job market was explosive, and
continued that way until about 2000. At
the time, everybody I knew of aspired to reach to the top, which meant even
being the CIO of a company. That was a
big term back then, as anybody can attest to.
Even during the time of the major debacles of both Enron and
WorldCom, the title CIO was still one to be aspired to go after. Now fast forward about twenty years later at
a breakneck speed, and now you don’t even hear the term of CIO even being
mentioned anymore. Now, it is the CISO
which is the term that is being literally slammed around, but unfortunately in
a bad way.
So, now the question comes up, is the role of the CIO even
needed any more. I actually wrote an
article about this some time ago for a client, which offered the differences of
what a CIO is and what a CISO is.
Technically speaking, the former has been in charge of the
overall business direction of the IT Department of the company. Most of the technical tasks have been
delegated downwards to the IT Managers that reported to the CIO.
The latter is much more concerned with the technical side of
the IT world for the business, as the name implies. Given the world that we live in today, it is
no wonder that this job title is so widely used and heard of.
But today, as I was perusing the news headlines of what to
write about, I came across a very interesting article as to how the CISO should
report to the CIO.
Admittedly, it caught me off guard, because this the first
time in a while I had even heard the term CIO being used. The article started off with saying that
there were two schools of thought to this, and that they were as follows:
*The CISO should report directly to the CIO;
*The CISO should report directly to the CEO;
*The CISO should report directly to the legal department,
and whoever the head attorney there is.
This thinking has been spawned mostly by the data privacy laws of the
GDPR and the CCPA which have been recently enacted.
Interestingly enough, and if I am understanding the article
correctly, in my view, the author actually reversed the job expectations of
these two titles. Broadly put, he
implied that the CISO should now be responsible for the business aspects and
direction of the business, and that the CIO should be held accountable for the
technical aspects.
Hmm, after reading those few paragraphs, I thought OK, I
guess everybody can have their own opinion as to what they think is right. The author then further made the hypothesis
that the roles of the CISO and the CIO should be completely separate from one
another.
In other words, there is no reporting hierarchy here, the
CISO does not report to the CIO, but rather both of them report directly to the
CEO.
My thoughts are on this, wouldn’t be rather confusing for
the CEO to have two different points of view, as it relates to technology and
Cybersecurity? I mean after all, when one thinks of technology, the immediate
thoughts of Cybersecurity automatically pop up.
Nobody thinks of IT anymore as just mere desktops,
workstations, and servers, they all now get lumped together into the same term.
His main premise for this hypothesis is that the first thing
the CISO is known for is asking for money for their Cybersecurity budget, and
that this should not be clouded with the visions that CIO has for the IT
department.
In other words, the author makes the claim that these two
roles should be “decoupled” from one another.
To some degree, I can see where
the author is coming on this one, and to be honest, I think he is just trying
to be fair to the CISO in their requests.
He finally makes the conclusion that by having distinct
lines of separation, there will be a good system of checks and balances for the
organization.
My Thoughts On This
If you want my opinion, get rid of the role of the CIO
entirely. It is totally outdated, and
really not even needed anymore. But,
keep the role of the CISO, but instead, make the role that of the “vCISO”. Why is this?
Well, given today’s uncertainty about the COVID19 pandemic, no company
in Corporate America now really wants direct hires for the role of the
CISSO.
The reason for this is pure and simple.
They are too expensive for the bottom line, given the
enormous salary that you have to pay them, as well as those perks and
bonuses. Secondly, CISOs only last at
most for 18 months, and from there, either get fired or they just quit. Nowadays, you see many Cyber vendors offering
what are known as “vCISO” services.
This is where essentially you procure the resources of an
actual CISO, but you just hire them for a fixed term contract, and for a
fraction of the price it would cost to hire a regular CISO. You can keep them
for as long as you need. In other words,
there is scalability here.
Bring them on when you need them, and when don’t, terminate
the contract.
Plus, by going with vCISO route, they will probably bring a
plethora of other contacts with them, which can help with staff augmentation
purposes for your IT Security team. All
of this will never happen under the traditional CIO and CISO job titles.
Also as mentioned, with the advent of the data privacy laws,
there are other “v” roles coming out, such as that of the vCCO (Chief
Compliance Officer) and the vCDPO (Chief Data Privacy Officer). There are probably other “v” roles that will
emerge for the Cyber industry.
But if you really somebody like a CIO, then you need to hire
what is known as a vBISO, which stands for Business Information Security
Officer. They offer the same business
kind of advice that a CIO would. Yea,
there are a lot of acronyms here, but that is the direction that the world is
now headed to.
So my view? Once
again, forget the CISO and CIO titles.
Go with the “v” roles instead.
They will give you the biggest bank for your buck, btu best of all, the
services that they will offer to you will be totally vendor neutral and
unbiased, thus allowing you to make the best decisions possible for your
company.
No comments:
Post a Comment