Relationships can be a lot of things: wonderful, terrible, enriching, stressful. Sometimes all at once.
These terms surely apply to the CISO and CIO relationship within organizations.
And there are major shifts occurring in this CIO-CISO intersection right now.
I recently interviewed IT research powerhouse Larry Ponemon during a SecureWorld cybersecurity conference and he quickly rattled off five changes that he's seeing.
Role of the CISO changing: Top 5 changes now
- There are more CISOs than ever before: "Many companies that had Information Security Managers, or titles like that, now have created a CISO position."
- CISO prominence continues to grow: "One of the big changes we're seeing is that CISOs are moving up and becoming true C-level executives."
- Many CISOs are now from non-technical backgrounds: "The most prominent CISOs have a good technical foundation but often have business backgrounds, an MBA, and the skills needed to communicate with other C-level executives and the board."
- CISOs are shifting into a coaching role: "Lines of business are taking on more responsibility for the risk, and so we're seeing more CISOs go from holding all the risk to becoming more like a coach, helping all lines of business to understand the things that need to be done to ensure cybersecurity."
- CISOs are feeling increased pressure: "New pressures on the CISO include the need to provide assurance and/or full disclosure on compliance issues, especially with major new requirements like GDPR and tough state laws like those in New York. We may see these types of regulations spread."
More changes: CISO vs. CIO
Just like CISOs, CIOs have been undergoing role changes driven by the need for new technology, increased security, and the demands of the business.
And according to a great read in I-CIO on "The changing relationship between the CIO and CISO," the two roles are starting to work well together more than ever before.
“As information security has increased in importance, the roles of the CISO and CIO have certainly become more collaborative. Now, both execs tend to be pulling together towards the same goals of accessibility, security and organizational resilience.”
And the article makes the case that a new reporting structure is emerging as we head into 2018. “Security is becoming a strategic aspect of the enterprise, and in a digital world is only growing in importance,” argues UNIQA CIO Alexander Bockelmann. “So CISOs should report to the board level.”
Do you agree that CIOs and CISOs are working together more collaboratively than ever before? And to whom should CISOs report?