The chief information security officer role carries with it huge responsibility. Today's CISOs manage a 24/7 cybersecurity operation, stay ahead of cybercriminals, and comply with an ever-growing body of legislation, and the job continues to grow. Is it time businesses considered splitting the CISO role?
Finding a leader with the necessary skills – from technical knowledge and business skills to regulatory savvy and strategic vision — is nearly impossible. Those that do make the grade often find themselves in danger of burnout. This overload can lead to gaps in an organization's cybersecurity posture, exposing them to an increased risk of breaches.
The traditional model of a singular CISO charged with securing data and systems, and other duties stretching far beyond the traditional realms of IT security, should be reevaluated if we are to avoid cyber leaders fleeing to other professions.
The case for splitting the CISO role
Splitting the CISO role can address these challenges by allowing for greater specialization and focus. By dividing responsibilities among several deputy CISOs, each can concentrate on specific domains that have expanded to match the cognitive capacities of multiple FTEs. This can reduce the burden on a single executive and ensure that each area of cybersecurity receives the attention it requires.
Specialization can lead to better risk management, business alignment, and overall cyber hygiene as experts in specific domains apply their focused knowledge and skills. Moreover, this structure can enhance the agility of the cybersecurity team, enabling quicker responses to threats and regulatory changes.
Phased implementation
A practical approach to splitting the CISO role could involve establishing several deputy CISO positions.
Aspects of cybersecurity that relate to compliance could be moved to the chief financial officer or chief risk officer. This way, they can be evaluated higher in the organization along with other important non-cybersecurity factors.
Consider the second version of NIST’s cybersecurity framework (CSF), which includes a sixth interconnected function: Govern. NIST describes it as, “The boss of cybersecurity. It guides how a company will plan and prioritize its cybersecurity efforts to match its goals and what its customers and stakeholders expect.” Given the breadth of this function and potential for financial impact, the CFO/CRO would certainly have shared oversight.
The non-business part of compliance, such as staying abreast of data privacy regulations and data sovereignty laws in the wake of the artificial intelligence era could be headed by a deputy CISO for compliance. This role would make sure all cybersecurity measures follow the law and regulations. The person would be well-versed in the legal aspects of cybersecurity, having a degree in law or a related field, along with certifications like CIPP/E or CISM.
Similarly, a traditional CTO can handle the evaluation and procurement of the technologies associated with cybersecurity. In many organizations, the CTO already overlaps considerably with cybersecurity, especially those that have teamed up to launch zero trust architectures.
In global enterprises with a hundred thousand end users or more, a deputy CISO for technology could help bridge the technical aspects of IT and cybersecurity, including the development and implementation of security technologies like endpoint security, ZTA, and SASE.
Lastly, a deputy CISO for operations could conduct day-to-day management of the cybersecurity team, focusing on incident response and operational resilience. They would handle crises and hold certifications such as a CISSP.
This structure fosters depth of expertise and facilitates more effective communication and strategy implementation across different areas of the organization.
Getting realistic
Implementing this split-role structure is not without its challenges, even if it could improve communication and protection. Success would depend on various factors, including the size and culture of a company, recent incidents, and timing.
One of the primary concerns is the recruitment of qualified candidates, as well as the high cost of supporting multiple high-level cybersecurity positions. This could be minimized in cases where staff can be reallocated or reassigned.
The place to kickoff this important conversation is at the board level, and it needs to start today. Priority setting and changes to the C-suite can only be meaningfully addressed at the highest decision authority at an enterprise.
A phased implementation strategy would start with a trial period, for example, by appointing a deputy CISO for technology. Given the rapid pace of technological risk and threat, this executive would have their hands full on day one. The new role would allow the team to adjust workflows and communication channels before fully instituting any other deputy roles or transfer of ownership. During this period, the C-suite can evaluate the effectiveness of the split and adjust before further roles are filled.
The rubric to facilitate the discussion is available and commonplace for most high-performing organizations: Organizational Development (OD) and Organizational Effectiveness (OE). OD/OE helps to improve people, process, and planning. It can show you what you need, how to change your organization’s behavior, how it will work, and other things you need to do to make the transition through the maturity stages.
Splitting the CISO role is a good way to solve the problems of modern cybersecurity management. It allows for focus on specific actions that make protection, defense, response, and compliance better. By adapting to the complexities of the digital age, organizations can better safeguard their assets and maintain trust with their stakeholders.
On a final note, on October 3, I will be speaking on this topic at an upcoming ISSA event in Chicago. If you are local, consider joining us.
What to read next
If a recession comes, cut cyber professionals at your peril
5 behaviors for transforming your cybersecurity leadership
Analyzing the Pros and Cons of Splitting the CISO Role