During the last year, we did a lot of thinking about the role of the CISO, including a major survey we posted. As we embark on our next round of research I wanted to share a summary of how we see the Chief Security Officer role evolving. See below:
|
CISO Role Today |
CISO+ Role in Future |
| CISO’s Background |
- CISOs come from varied backgrounds
- Often inherited the role
- Moved up through the IT or business ranks
- Some are hired from outside to create public perception
|
- Proven track record to lead during a crisis
- Knows how to take risks
- Ability to manage & communicate clearly and concisely to upper management / Board
- Heavy on business skills / Lighter on technical skills
|
| Reporting Line |
- CISOs typically reports to CIO; typically a layer in between CISO and CIO
- Some CISOs report to COO
|
- CISO+ reports directly to CIO
- Have responsibility for; Strategy, Policy, Ops, Compliance, Crisis Management
|
| Level of Authority |
- Not always viewed as a key decision maker
- Seldom an actual executive role
- Often tactical and reactive
|
- Transformational leader
- Sr. level executive
- Combined role of IT Risk Officer & CISO
- Responsible for Initiatives & Ops
- Strategic & pro-active
|
| Areas of spend / Budget responsibility |
- Majority of budget directed at maintenance projects to keep current initiatives running
- Other spending on pro-active initiatives and reactive projects
|
- Majority of budget spending will be on transformational initiatives
- Budgets should be a percent of the Enterprise budget since all functional groups have security requirements
|
Scroll to view full table
What do you think? Do you agree with the role today and how it will evolve to a strategic role in the future?
As I mentioned, the IBM Client Insights team will be completing our second CISO survey soon. We’ll incorporate your comments in to that work!
General Manager, IBM Security