The traditional career path for a chief information security officer (CISO) is fairly straightforward. An individual begins their career in IT but ultimately moves to security after demonstrating a security mindset. Once established within the ranks of information security, the professional receives promotion after promotion until they attain the title of CISO. There, they enjoy the highest pay that infosec as an industry can afford while reporting directly to the chief information officer (CIO) about all things related to security.

Sound familiar? I bet it does…at least for the moment.

DevOps Connect:DevSecOps @ RSAC 2022

Things are rapidly changing for today’s CISOs. In its State of Cybersecurity Report 2019 (SOCR), Wipro found that CISOs have come under heightened scrutiny from the board. The Indian multinational corporation also found that just over a fifth (21 percent) of CISOs had begun reporting directly to CEOs. (That said, 51 percent of these executives still counted CIOs as their direct supervisors at the time of the study.)

Wipro noted in its report that organizations might be starting to move away from the traditional reporting model for CISOs because of the desire to avoid conflicts of interest. The CIO is chiefly concerned with implementing new technology projects to support the organization, whereas the CISO is interested in minimizing the organization’s risk level. These operational interests oftentimes align…but not always. Per Dark Reading, the CIO—and IT as a whole—tends to be less risk-averse than the CISO, who uses information security to keep the organization safe.

Even so, it’s irresponsible to reduce the changes identified by Wipro to mindset differences between CIOs and CISOs. Research has shown that organizations are safer when CISOs report to CEOs instead of CIOs. For instance, in it’s Global State of Information Security Survey 2014, PwC along with CIO magazine and CSO magazine found (Read more...)