A question that has been around my mind for a while is “does the CISO need to become the CSO”? Is the responsibility of the Chief Information Security Officer too limiting, and should they be the Chief Security Officer? The issue with a CISO is that they often are limited when it comes to areas such as physical security, legacy systems and even specific line-of-business systems.

The limits of a CISO

The Chief Information Security Officer can have a role that is limited to just information assets. This may be appropriate for many companies, but does it actually achieve the desired outcome of increased or improved security? We are all aware that the weakest spot in any security is the people – and does this responsibility for cultural change and staff discipline lie solely with HR? If the CISO is unable to effectively change and influence behaviours, are they limited?

In many organisations, there are information systems that are outside the control and purvey of the CISO – “don’t mess” systems. These will often be:

  • Legacy systems, or out-of-support systems – that inherently don’t have good security,
  • Critical line-of-business systems that are considered to be too sensitive to change,
  • OT / industrial systems that have a specific role and are considered to be off-limits
  • Vendor-managed or niche systems, such as BMS for aircon or door pass access.

Finally, there may be areas that the CISO is unable to influence, such as paper processes, physical building security, non-IT supply chains and the like. The CISO is limited if they don’t have control over these areas.

READ ARTICLE:   2 Factor Authentication risks

The Chief Security Officer’s role

The CSO may be a legacy title, but in today’s connected businesses, their role should be 80% information systems, but importantly, also have responsibilities for physical, legacy, LOB, OT, BMS and cultural change.

See the wood for the trees

The next steps

Among the many challenges that CISOs face, this can include the limitation of their reach. The CISO should negotiate with the business to obtain access to the previously mentioned grey areas, to ensure that their influence is not limited to just the traditional areas of Information Security, and instead to actually benefit the business to achieve the desired outcome of actual security.

Share this knowledge