Mike's random thoughts and ramblings

The Death of the CISO

I was talking with a good friend late last week, and he was telling me about the trend for the rapid decline of CISO's in the enterprise - this was something that I had noticed as well. We've both been seeing the CISO (and security in general) move away from a strategic role to a more tactical one within many of the enterprises we're seeing. We've also been seeing a split within security toward two distinct areas: regulatory compliance and risk management.

The interesting thing about this trend is that it's not wholely unsurprising. What surprises me most as a security professional is that it hasn't happened sooner - fundamentally, security is only part of a larger strategic function in the enterprise. And, while I'd argue that we as security professionals need to think more strategically, I don't know that I believe any longer that security should have the "seat at the table" of a C-level executive. Fundamentally, security just isn't enough of a business enabler on its own to warrant that seat.

What is, however, a business enabler is the task of risk management. And I mean that in the whole sense of the word - from the type of risk management performed by an information security professional, to eliminating risk from the perspective of failing regulatory compliance, the operational risk posed by poor quality and poor capacity planning, and the financial risk of bad investments.

Truly, the strategic function of security needs to be subsumed under a larger heading of Enterprise Risk that includes functions like "Quality and Performance", "Financial risk management", and Business Continuity. And we should be seeing more and more "CRO" (Chief Risk Officer) titles than CISO titles - the IS function shouldn't have a seat at the enterprise table.

But the manager of all types of corporate risk should, as risk reduction IS a strategic function that enables the business. But Information Security by itself isn't.

Funny to be an Infosec pro and suggest that, since I had hoped to be a CISO some day. Now, I'm setting my aim at a CRO title some day.

Share this post

About the author

Michael Murray

Michael Murray