As cybersecurity has become an increasingly important consideration in corporate decision-making, there's been a corresponding move to elevate the role of the chief information security officer (CISO) to a higher point in the executive hierarchy. The reasoning seems to be, "If cyber is important, CISOs must be important." However, elevating the role sets the CISO up to be a lone voice in the desert crying "security," with little connection to the day-to-day decision-makers in IT, engineering, or products.
This has led to some undesirable consequences, like the Facebook exec who thought it was OK that the company's security measures caused hours-long delays in responding to its Oct. 4, 2021, outage, or the Uber exec who paid off hackers who breached his system, rather than acknowledge the breach, or the numerous CISOs who have invested in "additional layers of security" rather than admit they made poor selections initially. In all of these cases, the CISO's isolation from functional business units undoubtedly played a role in the tunnel thinking these decisions reflect.
Perhaps it's time to reimagine the role of the CISO. Maybe it's better to see the CISO's importance reflected in organizational impact rather than organizational status. Perhaps embedding security in functional units will result in better security.
Imagine the CISO as a part of the IT organization ecosystem. They would be involved in every decision about the infrastructure, and security concerns would be integral to those decisions rather than tacked on after the fact. This would allow for a set of "security" solutions based on how the network is structured and managed, rather than on special security capabilities inserted into the infrastructure by an outside group.
Imagine a security expert embedded in the software development organization. They would be able to refine the development process to make sure code is written and tested with an eye to security, without saddling the developers with processes that are alien to them, thereby reducing the vulnerabilities in the company's code. Imagine a security expert embedded in product lines. They would be able to make sure the corporate infrastructure protects their IP and that their development process reduces the vulnerabilities in their product.
In all these cases, security becomes a factor in corporate decisions grounded in the reality of corporate operations. The technical expertise of the CISO becomes integral to day-to-day work rather than a constraint imposed upon it. Similarly, security and compliance need to work seamlessly so that financial systems and communications with partners and vendors remain secure. This extends to telecom systems and other hardware.
The Risk Factor
This seems like a more impactful way to make the technical dimension of security a powerful voice in company execution. However, one may wonder if this will diminish the policy dimension, balkanizing it to address the special interests of individual functional units. This concern can be addressed by expanding the role of the chief risk officer to include the security policy functions currently carried out by the CISO.
This has the benefit of keeping security policy at the C-level, where it gets the attention it needs. It has the further benefit of having cybersecurity risk considered in the context of other risks (risk to availability, risk to reputation, to address the cases above). Security would no longer be an end in itself, but a dimension of doing business. This doesn't mean security needs to battle it out with other concerns and make accommodations that compromise the security posture of the organization. Rather, it sets up an environment that trades the either/or mentality for one that seeks to satisfy all requirements.
There are numerous access control technologies that would have protected Facebook effectively without locking out its own personnel. When the security risk is considered along with the availability risk, those more pragmatic solutions would emerge.