The job description for the people that are responsible for IT security within an organization has been in a state of flux for over a decade. Since Steve Katz became the first CISO back in 1995, both business leaders and the security industry in general have been thinking and rethinking the need for such a person and the responsibilities that he or she should have.
The Evolution of the CSO
Citigroup became the first commercial company to recognize the need for the brand new corporate CISO role when they responded to a highly publicized Russian malware incident. As cyber threats continued to grow in terms of real risk to the business and in the minds of the general public, business leaders recognized the need to dedicate resources to manage that risk.
The first practitioners came out of the technical ranks — the IT shops. Vendor solutions to mitigate the cyber threat ran on networks and workstations. In order to manage those solutions, it was helpful to have people who understood that world. But this was a new thing for the techies: trying to translate technical risk to a business leader not versed in IT security did not always go very well. That’s when it became convenient to tuck these kinds of people underneath the Chief Information Officer (CIO) reporting organization. CISOs began working for the CIO because, from the C-Suite perspective, all of that “technical stuff” belonged in one basket.
But as business leaders began applying resources to mitigate cyber risk, other areas of security risk started to emerge: physical security, compliance, fraud prevention, business continuity, safety, ethics, privacy, brand protection, etc. The idea of the Chief Security Officer role began to get popular with business leaders because they needed somebody to look at the entire business — not just the cyber security risk to the business but the general security risk presented by any one or a combination of those challenges. CSO Magazine launched in 2002 to cater to that crowd. , and in 2004, American National Standards Institute accredited the Certified Information Systems Security Professional (CISSP) program where Information Assurance practitioners could get certified in a recognized, agreed-upon set of skills.
Since then, the industry has been in flux. Not every company organizes the same way. While the CIO has made its way to the executive suite in some companies (Intel, for example), that is by no means the norm. The Chief Security Officer is likewise not yet a fixture, but I suspect that situation is changing. Let’s talk about why.
CSO/CISO As A Distinct Role
The CISO role has emerged in the last five years as the de facto role to manage cyber security. If there isn’t somebody in the organization with the title of CISO, there is somebody in charge of IT security. This person generally works for the CIO but not in all cases. I do a lot traveling around the world talking to customers and speaking at security events. From speaking with many CISOs, CSOs and CIOs, the community has decided that the IT groups handle the day-to-day IT operations while the security groups have much more of an oversight role: risk assessment, incident response, policy controls, etc. This means that the IT groups keep the firewalls up and running while the security groups are monitoring the logs and advising the CIO on security architecture and policy.
I don’t think this is the right model, either. In this modern world, I do not believe that security should be subservient to operations in all cases. Yes, the company has to keep its servers operational, but that does not imply that if push comes to shove, security is the first thing that we turn off in order to maintain operations.
For companies that understand risk to the business, security and operations are peers. Over Parts 2 and 3 of this series, I’ll explain why this is so important.