Eskenzi PR ad banner Eskenzi PR ad banner
  • About Us
Wednesday, 7 June, 2023
IT Security Guru
Eskenzi PR banner
  • Home
  • Features
  • Insight
  • Events
    • Most Inspiring Women in Cyber 2022
  • Topics
    • Cloud Security
    • Cyber Crime
    • Cyber Warfare
    • Data Protection
    • DDoS
    • Hacking
    • Malware, Phishing and Ransomware
    • Mobile Security
    • Network Security
    • Regulation
    • Skills Gap
    • The Internet of Things
    • Threat Detection
    • AI and Machine Learning
    • Industrial Internet of Things
  • Multimedia
  • Product Reviews
  • About Us
No Result
View All Result
  • Home
  • Features
  • Insight
  • Events
    • Most Inspiring Women in Cyber 2022
  • Topics
    • Cloud Security
    • Cyber Crime
    • Cyber Warfare
    • Data Protection
    • DDoS
    • Hacking
    • Malware, Phishing and Ransomware
    • Mobile Security
    • Network Security
    • Regulation
    • Skills Gap
    • The Internet of Things
    • Threat Detection
    • AI and Machine Learning
    • Industrial Internet of Things
  • Multimedia
  • Product Reviews
  • About Us
No Result
View All Result
IT Security Guru
No Result
View All Result

The CIO will report to the CISO

by The Gurus
August 8, 2017
in This Week's Gurus
Share on FacebookShare on Twitter

J.J. Guy, Senior Director of Cloud Engineering, Carbon Black
Several years ago, security leaders in many organisations were promoted from a mid-tier manager to the CISO.  In the early org chart iterations, security was considered as “just one more job” of the IT department, so the manager who owns security took the CISO title but continued to report to the CIO.
As businesses learned security was more about overall business risk than simply a function of technology, the reporting chain for CISOs started to move outside the CIO’s organisation and CISOs began reporting to the CEO, CFO or COO.
This evolution is still underway, but it will shift again soon: the CIO will report to the CISO.
CISOs are operationalising their information security programmes, transforming security from a checkbox product the CIO bought from a vendor into an operation that combines products, people and processes. Those operations are gaining discipline and rigor from a painful but effective feedback loop, thanks to constant testing by attackers. CISOs are discovering the IT basics such as network management, asset management and patching are critical to secure operations, but in many organisations they are poorly managed.
As WannaCry and Petya have acutely demonstrated, there were millions of machines both unpatched for weeks and with SMB open to the world. Patching is hard and open SMB is silly, but unpatched systems with open SMB is gross negligence – and this is just one recent and high-profile example. It is impossible to secure an enterprise network when the organisation can’t handle the basic blocking and tackling of IT.

To secure their networks, enterprises must begin operationalising their IT programmes, growing discipline as strong as their security operations teams. As realisation of this truth grows, we will see a shift: the CISO will own not just the security functions, but all the core infrastructure – networks, devices and operating systems. The CIO will own the business processes: the core value of IT making the business more efficient. The CISO owns the core infrastructure that makes the network run, the CIO owns the applications that run on that infrastructure and the business processes they support.
Today’s titles won’t make sense at that point. The position we call CISO today will be something more similar to the Chief Information Operations Officer, to reflect his duty to operationalising both the IT and security programs, with the 24/7 operational rigor required to maintain security and availability. He’ll have something like three direct reports: the operations centre, the enterprise applications team and a compliance team.
Of course, this organisation looks much like the one we had ten years ago: the CIO and his team. Except now we recognise security and an operational culture are critical components to the CIO’s role, something that was not widely recognised before. Perhaps the simplest answer is we return to the original org chart, but with a more acute understanding of responsibilities. Today’s “CISOs” get promoted to “CIO” and we return to one “technology CxO” in the executive team.
However it shakes out, it will be fun to watch unfold – and our networks will continue to get more secure as a result.
 

FacebookTweetLinkedIn
Tags: CIOCISOcybersecurityITtech
ShareTweet
Previous Post

Ireland's state-owned electricity provider EirGrid hit by 'state-sponsored' hackers

Next Post

GDPR compliance: six steps to make it happen

Recent News

Blue Logo OUTPOST24

Outpost24 Acquires EASM Provider Sweepatic

June 7, 2023
Standard post, logos of brands, headshot.

J Brand: The Challenges of Putting Mental Health First in an Unfamiliar Industry

June 6, 2023
iPad with Anxiety written on it in capitals.

Half of UK Employees Suffer From “Sunday Scaries”

June 6, 2023
UK Organisations lack clear path to achieve threat intelligence

UK Organisations lack clear path to achieve threat intelligence

June 6, 2023

The IT Security Guru offers a daily news digest of all the best breaking IT security news stories first thing in the morning! Rather than you having to trawl through all the news feeds to find out what’s cooking, you can quickly get everything you need from this site!

Our Address: 10 London Mews, London, W2 1HY

Follow Us

© 2015 - 2019 IT Security Guru - Website Managed by Calm Logic

  • About Us
No Result
View All Result
  • Home
  • Features
  • Insight
  • Events
    • Most Inspiring Women in Cyber 2022
  • Topics
    • Cloud Security
    • Cyber Crime
    • Cyber Warfare
    • Data Protection
    • DDoS
    • Hacking
    • Malware, Phishing and Ransomware
    • Mobile Security
    • Network Security
    • Regulation
    • Skills Gap
    • The Internet of Things
    • Threat Detection
    • AI and Machine Learning
    • Industrial Internet of Things
  • Multimedia
  • Product Reviews
  • About Us

© 2015 - 2019 IT Security Guru - Website Managed by Calm Logic

This site uses functional cookies and external scripts to improve your experience.

Privacy settings

Privacy Settings / PENDING

This site uses functional cookies and external scripts to improve your experience. Which cookies and scripts are used and how they impact your visit is specified on the left. You may change your settings at any time. Your choices will not impact your visit.

NOTE: These settings will only apply to the browser and device you are currently using.

GDPR Compliance

Powered by Cookie Information