During the last year, we did a lot of thinking about the role of the CISO, including a major survey we posted. As we embark on our next round of research I wanted to share a summary of how we see the Chief Security Officer role evolving. See below:

CISO Role Today CISO+ Role in Future
CISO’s Background
  • CISOs come from varied backgrounds
  • Often inherited the role
  • Moved up through the IT or business ranks
  • Some are hired from outside to create public perception
  • Proven track record to lead during a crisis
  • Knows how to take risks
  • Ability to manage & communicate clearly and concisely to upper management / Board
  • Heavy on business skills  / Lighter on technical skills
Reporting Line
  • CISOs typically reports to CIO; typically a layer in between CISO and CIO
  • Some CISOs report to COO
  • CISO+ reports directly to CIO
  • Have  responsibility for; Strategy, Policy, Ops, Compliance, Crisis Management
Level of Authority
  • Not always viewed as a key decision maker
  • Seldom an actual executive role
  • Often tactical and reactive
  • Transformational leader
  • Sr. level executive
  • Combined role of IT Risk Officer & CISO
  • Responsible for Initiatives & Ops
  • Strategic & pro-active
Areas of spend / Budget responsibility
  • Majority of budget directed at maintenance projects to keep current initiatives running
  • Other spending on pro-active initiatives and reactive projects
  • Majority of budget spending will be on transformational initiatives
  • Budgets should be a percent of the Enterprise budget since all functional groups have security requirements

What do you think?  Do you agree with the role today and how it will evolve to a strategic role in the future?

As I mentioned, the IBM Client Insights team will be completing our second CISO survey soon. We’ll incorporate your comments in to that work!

more from CISO