CIOs may end up doing largely IT in one company; largely compliance in another; and pure risk analysis and management in yet another
Even as we completed 10 years of the CSOForum Summit and completed the third set of NextCSO awards, instead of the usual looking back, we decided to look to the future. That explains the theme of What’s Next for the 10th annual CSOForum Summit.
But before you go to the hows, it is not a bad idea to start with the whys—the imperatives of what has made this change—being talked about for long; but finally happening on the ground only now.
While the usual stuff like AI, analytics, shift to new regulatory regime focusing on privacy and data protection were discussed liberally, the focus seemed to be on the more practical, immediate trends.
One such trend caught my attention.
At least partly because it signals the community’s maturity. Let us call it bi-modal security.
The once hot question—should CISOs report to CIOs—has few takers now. Instead, there is a realization that organizational security needs two sets of people - one ensuring what needs to be protected is protected in the best manner possible, while the other set is continuously scanning for new threats, new challenges and are even willing to take on the attackers in a combating role. While the first responsibility requires excellent IT skills, understanding of business and latest skills to tackle new security challenges, the second is essentially a risk management role with a broad understanding of security technologies. Needless to say, the two sets of people need to be part of two teams. The first is essentially an extension of IT.
The distinction may not be as sharp as this, but the roles are surely getting separated. At least, in the eyes of security practitioners, this distinction is far more relevant than the vague theoretical distinction between cyber security and information security that is customarily repeated at every forum.
A shift to this model—which has already been there in many organizations—will see some structural adjustments. For one, we do not know where the CISO belongs to. They may end up doing largely IT in one company; largely compliance in another; and pure risk analysis and management in yet another.
Let’s see what’s next. And I also mean, in the pages of this annual issue.