Sunday, January 16, 2022

The End Of The CISO & CIO Are Now Here: Embrace The "v"

 


When I was doing my MBA at BGSU just before the Internet bubble started, the world of Information Technology was just starting to explode.  As far as I remember, Microsoft kept coming out with new versions of Windows, as well as their Office line of products. 

E-mail was easier to use, with the likes of Eudora (thus effectively getting rid of the UNIX based Email approach) was getting popular, and heck even Netscape and their browser were starting to take off, which started the battle with Internet Explorer.

The main ISP at the time was AOL, and I think I even used that for the next decade until high-speed broadband came out.  The IT job market was explosive, and continued that way until about 2000.  At the time, everybody I knew of aspired to reach to the top, which meant even being the CIO of a company.  That was a big term back then, as anybody can attest to.

Even during the time of the major debacles of both Enron and WorldCom, the title CIO was still one to be aspired to go after.  Now fast forward about twenty years later at a breakneck speed, and now you don’t even hear the term of CIO even being mentioned anymore.  Now, it is the CISO which is the term that is being literally slammed around, but unfortunately in a bad way.

So, now the question comes up, is the role of the CIO even needed any more.  I actually wrote an article about this some time ago for a client, which offered the differences of what a CIO is and what a CISO is. 

Technically speaking, the former has been in charge of the overall business direction of the IT Department of the company.  Most of the technical tasks have been delegated downwards to the IT Managers that reported to the CIO.

The latter is much more concerned with the technical side of the IT world for the business, as the name implies.  Given the world that we live in today, it is no wonder that this job title is so widely used and heard of. 

But today, as I was perusing the news headlines of what to write about, I came across a very interesting article as to how the CISO should report to the CIO.

Admittedly, it caught me off guard, because this the first time in a while I had even heard the term CIO being used.  The article started off with saying that there were two schools of thought to this, and that they were as follows:

*The CISO should report directly to the CIO;

*The CISO should report directly to the CEO;

*The CISO should report directly to the legal department, and whoever the head attorney there is.  This thinking has been spawned mostly by the data privacy laws of the GDPR and the CCPA which have been recently enacted.

Interestingly enough, and if I am understanding the article correctly, in my view, the author actually reversed the job expectations of these two titles.  Broadly put, he implied that the CISO should now be responsible for the business aspects and direction of the business, and that the CIO should be held accountable for the technical aspects. 

Hmm, after reading those few paragraphs, I thought OK, I guess everybody can have their own opinion as to what they think is right.  The author then further made the hypothesis that the roles of the CISO and the CIO should be completely separate from one another. 

In other words, there is no reporting hierarchy here, the CISO does not report to the CIO, but rather both of them report directly to the CEO.

My thoughts are on this, wouldn’t be rather confusing for the CEO to have two different points of view, as it relates to technology and Cybersecurity? I mean after all, when one thinks of technology, the immediate thoughts of Cybersecurity automatically pop up. 

Nobody thinks of IT anymore as just mere desktops, workstations, and servers, they all now get lumped together into the same term.

His main premise for this hypothesis is that the first thing the CISO is known for is asking for money for their Cybersecurity budget, and that this should not be clouded with the visions that CIO has for the IT department. 

In other words, the author makes the claim that these two roles should be “decoupled” from one another.  To some degree,  I can see where the author is coming on this one, and to be honest, I think he is just trying to be fair to the CISO in their requests.

He finally makes the conclusion that by having distinct lines of separation, there will be a good system of checks and balances for the organization.

My Thoughts On This 

If you want my opinion, get rid of the role of the CIO entirely.  It is totally outdated, and really not even needed anymore.  But, keep the role of the CISO, but instead, make the role that of the “vCISO”.  Why is this?  Well, given today’s uncertainty about the COVID19 pandemic, no company in Corporate America now really wants direct hires for the role of the CISSO. 

The reason for this is pure and simple.

They are too expensive for the bottom line, given the enormous salary that you have to pay them, as well as those perks and bonuses.  Secondly, CISOs only last at most for 18 months, and from there, either get fired or they just quit.  Nowadays, you see many Cyber vendors offering what are known as “vCISO” services.

This is where essentially you procure the resources of an actual CISO, but you just hire them for a fixed term contract, and for a fraction of the price it would cost to hire a regular CISO. You can keep them for as long as you need.  In other words, there is scalability here. 

Bring them on when you need them, and when don’t, terminate the contract.

Plus, by going with vCISO route, they will probably bring a plethora of other contacts with them, which can help with staff augmentation purposes for your IT Security team.  All of this will never happen under the traditional CIO and CISO job titles.

Also as mentioned, with the advent of the data privacy laws, there are other “v” roles coming out, such as that of the vCCO (Chief Compliance Officer) and the vCDPO (Chief Data Privacy Officer).  There are probably other “v” roles that will emerge for the Cyber industry.

But if you really somebody like a CIO, then you need to hire what is known as a vBISO, which stands for Business Information Security Officer.  They offer the same business kind of advice that a CIO would.  Yea, there are a lot of acronyms here, but that is the direction that the world is now headed to.

So my view?  Once again, forget the CISO and CIO titles.  Go with the “v” roles instead.  They will give you the biggest bank for your buck, btu best of all, the services that they will offer to you will be totally vendor neutral and unbiased, thus allowing you to make the best decisions possible for your company.

No comments:

Post a Comment

How To Launch A Better Penetration Test In 2025: 4 Golden Tips

  In my past 16+ years as a tech writer, one of the themes that I have written a lot about is Penetration Testing.   I have written man blog...