Security Staff Acquisition & Development, Networking

Chief Information Security Officers: Time for CISO Roles to Change?

Remember when the world was young and your company's online security was the responsibility of one or two people sitting in the IT department? I do, but just barely.

As noted by PrivSec Report, today's role of the chief information security officer (CISO) has wide-ranging responsibilities for the security of systems central to an enterprise: "security operations, cyber risk and cyber intelligence, data loss and fraud prevention, security architecture, identity and access management, governance" and much more.

Many companies have found inventive ways to include the role of CISO within their organizations. Even today, some smaller companies may include CISO responsibilities as part of an IT executive's job. However, more typically, it is a full-time role that reports to senior management, most often to a chief information officer followed by CEO, COO or, perhaps, the corporate risk officer.

Broaden the scope of the CISO role

Author: Bob Bruns, chief information & security officer, Avanade
Author: Bob Bruns, chief information & security officer, Avanade

However, as companies around the world have been forced to accelerate their digital transformations, an additional organizational option to consider is combining security and IT/enterprise services functions. We've done this at my company and created a singular Office of the Chief Information and Security Officer (CI&SO), and it's shown significant benefits. The heads of our IT and security organizations report to me, resulting in a level of collaboration and joint decision-making that has surpassed even my expectations.

With this type of combined organization, security and IT have comparable seats at the table. No longer does one have to take a back seat to the other. Even more importantly, security is now everyone's responsibility, a concept that has become a part of our company culture.

All decisions are made jointly, and both provide input into the programs and initiatives of the other. For example, like many other companies, at the beginning of the pandemic, we were faced with ensuring our professionals remained as productive as possible working remotely. While we were already very prepared given how we run our business, there was still work to do.

Our folks came together as one team, making it possible for people who normally did not work remotely to work from home, looking at the security posture of the equipment fleet throughout our system and ensuring appropriate security for our people's home environments, workstations and home Wi-Fi networks. By working together from the beginning, our IT and security organizations were able to establish remote working arrangements that allowed our teams to securely continue their work on behalf of our clients in record time.

When it came to provisioning the equipment, the hardware side was knowledgeable about and considered the security aspects of the project, and thanks to their insight into the business requirements for remote working, the security team was able to provide the required security and risk sign-off seamlessly.

How to Broaden the CISO Role

If you are interested in this kind of dual IT/security CI&SO role, here are some points to consider:

  • A culture of security is critical. The change management component of driving security education, awareness and knowledge throughout the organization is central to getting the most from this type of organizational structure. "Security is everyone's business" can become ingrained in company culture with the help of active, ongoing communications and education initiatives on all available platforms.
  • An important benefit is shared accountability and knowledge across security and IT. In a combined IT/security organization, both sides are accountable for the success of the entire team. Each function contributes to the other's initiatives, and decisions are made with input upfront from both IT and security. This doesn't need to be cumbersome. Aim to meet once a week with adequate time to go through all projects and issues, which the various responsible groups can then execute on.
  • All parts of the organization are held jointly accountable. IT and security leaders should be jointly responsible for a comprehensive set of metrics related to the security and operation of your enterprise. They should not be working against one another; they should be responsible for one another's success.
  • Processes are shared across the organization. As part of any IT procurement, conduct a comprehensive security and data privacy assessment, a single process that stretches across multiple areas. One process shared across the entire joint CISO organization can boost efficiency while ensuring nothing is forgotten or neglected. The goal should be a procurement consensus that's based both on what is best for the business and what meets security protocols.
  • Create a governance risk compliance team. One team with representatives from across the security/IT organization can ensure a singular focus on governance, risk and compliance. By short-circuiting tussles over resources, budget and responsibility, everyone can focus on the business and security priorities.

Each enterprise will have unique circumstances that may drive decisions on organizational structure, and while it isn't a one-size-fits-all solution, combining the IT and security organizations has worked well for us and positions us well to take on the challenges introduced in the current environment.


Author Bob Bruns is chief information & security officer at Avanade. Read more from Avanade here.