Cybersecurity has gained a lot of space and attention in recent years and with that attention came legislations, regulations and a lot more scrutiny. One of the results of this is that CISOs have now more responsibilities that go beyond the technical aspects of defending enterprises.
An IANS study shows that CISOs oversee more than just information security and their remit often includes technical risk and compliance among other things. Growing regulatory requirements means there’s greater need for board oversight and CISOs must continue to align evolving cyber risks with an understanding of the business landscape.
“CISOs are needing to work with the business’ executives, regulators, cyber insurance providers, and CFOs for budgeting, and they have to be fluent in the language of the business and translate that into cyber risk. That in itself is really a full-time role,” says Jon Oltsik, analyst emeritus with Enterprise Strategy Group.
At the same time, there are growing demands of managing increasingly complex technology, which requires dedicated attention and oversight. “The technology is becoming incredibly large and diverse and includes developing new applications and implementing new types of devices. We’re also on the cusp of massive AI adoption. Having someone who really understands all of that technology and can put the right controls in place with guidance from the business, is a different type of role,” Oltsik tells CSO.
Concerns over separating technical and business risks
The scope is only growing and by 2027, Gartner predicts that 45% of CISOs’ remits will expand beyond cybersecurity, driven by increasing regulatory pressure and attack surface expansion.
To address the expanding responsibilities, more organizations might follow the lead of banks and other big enterprises and differentiate responsibilities between several roles responsible for technical controls and business risk.
In one possible arrangement, a CISO reports to the CEO and a chief security technology officer (CSTO), or technology-oriented security person, reports to the CIO.
At a functional level, putting the CSTO within IT gives the CIO a chance to do more integration and collaboration and unites observability and security monitoring. At the executive level, there’s a need to understand security vulnerabilities and the CISO could assist with strategic business risk considerations, according to Oltsik. “This kind of split could bring better security oversight and more established security cultures in large organizations.”
However, there are many practical considerations and risks that come with carving out responsibilities and reporting lines. In taking the CISO outside of the CIO’s purview, it risks putting a layer between managing cyber risk and oversight of the technologies. It could also deepen differences between IT operations that focus on keeping systems running and security that prioritizes keeping systems secure.
“Certainly everyone’s motivated to keep the systems up and running, not just the CIO, but security’s job is to make sure they’re also secure, and they could put certain gates in place that make it a little harder,” Oltsik says.
Then there’s the issue of security risks when developing and adopting new applications. If the security technology role is under the auspices of the CIO and IT, security considerations may not be given due consideration if there’s a conflict between performance and security.
“One of the reasons we’re in the situation with so many vulnerabilities is because software developers are paid to get code into production and oftentimes, they cut corners on security to do so,” he says. “So the risk is that by separating these two, the CISO becomes more of a figurehead without the operational responsibilities, and the CIO could direct the chief security technology officer to back off from the security stuff because it’s hampering productivity or performance.”
Could separation of certain functions improve risk management?
In other circumstances, it makes sense to have a head of cybersecurity to lead the technical, operations and architecture teams, and a CISO to lead governance, risk, and compliance functions, according to Chirag Joshi, CISO and founder of 7 Rules Cyber consultancy. “The governance and risk role could have more engagement with the board, presenting the metrics and measurements, strategy and policy,” Joshi tells CSO.
One of the SEC requirements is filing the annual cyber risk management program, and this is usually the role of the governance leader. They build a strategy that accounts for control measurements, but there’s a need to support that with someone who’s functionally independent and able to challenge it, when necessary. “Having a line of separation between operational and risk responsibilities can be beneficial because there’s more likelihood of being able to challenge the risk choice with that independence,” Joshi says.
By elevating the CISO role to that of other C-suite executives, they become a strategic business adviser focused on managing risk. Instead of simply answering the question ‘how we secure this’, it’s having input into whether the organization should be doing ‘this’, which might be adopting new applications or other security considerations.
To succeed in that, CISOs would need to adopt the language of the executive and be able to explain things in terms of proportionate investments and commensurate risk controls. “They need that risk language, but it’s not just measuring cyber risks as high, medium, low, but articulating why you have decided to invest proportionally into a control versus trading off against the risk acceptance. That’s a more difficult conversation, and it’s not as straightforward as the high-medium-low risk conversation,” Joshi tells CSO.
To successfully change focus, CISOs would need to get a handle on things like the financials and company strategy and articulate cyber controls in this framework, instead of showing up every quarter with reports and warnings. “CISOs will need to incorporate their risk taxonomy into the overall enterprise risk taxonomy,” Joshi says.
In this arrangement, however, the budget could arise as a point of contention. CIO budgets tend to be very cyber heavy these days, Joshi explains, and it could be difficult to create the situation where both the CISO and CIO are peers without impacting this allocation of funds.
Another potential friction point is application maintenance and who has the call on end-of-life considerations and weighing up costs versus potential vulnerabilities. “The CIO needs to manage costs and keep applications going as long as possible, but the CISO is more intent on moving to newer applications so they don’t have to worry about legacy vulnerabilities,” Joshi adds.
Is there a need for a head of security operations?
In other circumstances, organizations could follow the lead of larger banks such as Standard Charters and adopt a model that allocates responsibilities along three lines — operations, risk, and audit. A head of cybersecurity operations is responsible for implementing controls and systems, a more specialized CISO oversees risk and compliance, and a third role is responsible for the audit function, and can independently review the cybersecurity function, according to Wouter Veugelen, head of cybersecurity Australia and senior MD at FTI Consulting.
“The head of security operations does all of the prevention detection response and the CISO is focused on governance, sets the policies on security controls and checks compliance, but they cannot be responsible for the implementation because that’s too extensive for one person to deal with all that,” Veugelen says.
Risk ownership
However, there are numerous challenges in splitting security roles, particularly around accountability. Separating responsibilities across multiple roles could make it less clear who is ultimately accountable for overall cybersecurity risk management and outcomes. Additionally, if operational security controls are separated from governance and risk management, it may be difficult to ensure proper accountability across both functions.
To address this, Veugelen suggests organizations need clear policies and guidelines around accountability to avoid gaps or overlaps between different security roles and functions. He also warns that the person who owns cybersecurity risk doesn’t own all risk if they don’t have all the control to mitigate it. “It’s preferable that ownership of risk sits with the stakeholders who have the budget and the authority to mitigate that risk,” he says.
Similarly, there could be a conflict about who has responsibility to report on risk to the board. In most cases, the CISO reports to the CIO, who then reports to the group executives, but this arrangement may not provide an option for a free and frank risk assessment. “If the CISO needs to report on risk to the board, but the board papers have to go through the CIO, the cybersecurity risk that’s reported on may paint a less than desirable picture on the CIO regarding systems that have not been maintained,” Veugelen says.
In this case, the CISO also needs to have a direct channel to the risk committee to least give them the balanced report on CISO risk, he says.
A lot depends on the corporate structure and ownership of risk, but this arrangement is more likely to suit larger outfits with more complex security needs and the scale to support separate roles.
Smaller organizations may lack the processes and structure required to manage multiple information security executives effectively, and it could potentially lead to gaps or even overlaps in accountability between roles. “It’s also likely that additional costs may be incurred to support separate security roles and functions within the organization,” Veugelen says.