Although many midmarket and SMB organizations have yet to dedicate a staff member solely to the information security role, the time to do so might have arrived. IT organizations are at a crossroads today, and the need for such an assignment is growing by leaps and bounds as organizations fall under ever more burdensome regulations. Security professionals will be in high demand as organizations branch out to leverage new trends and opportunities, such as bring-your-own-device and cloud services.
Here's what the role of a chief security officer (CSO) might look like in 2020.
The need for a chief security officer
Today's technology environments are spreading like wildfire. Connectivity to multiple disparate networks is seen as the norm, and organizations are increasing both the amount of gear they deploy and the number of applications they support. What's more, smartphones really are full computers that employees carry with them wherever they go, whether to a meeting, the boss' office, a movie, lunch or the offices of a competitor. This is technology that can be used for good -- or for evil.
By 2020, organizations will adopt multiple services from the cloud, bring your own device (BYOD) will be a way of life and the chief security officer will need to understand exactly how everything fits together. Today, organizations already struggle with BYOD and its security implications; by 2020, almost all employees will have smartphones and tablets, as well as the 2020 mobile device du jour.
There's more to consider. By 2020, cloud services will integrate more seamlessly into existing IT environments. I see cloud becoming just another services tier in many cases, but there will be a lot of hooks into the environment, and every single hook will be a potential security risk. Further, as more cloud services come into the organizations, CSOs must review the vendor's security posture for each and every service as part of the acquisition decision.
In short, the CSO of 2020 will confront a massively decentralized environment that requires attention on multiple fronts.
Two views on the chief security officer role
Perhaps to the dismay of security professionals, the chief security officer still won't be considered a full member of the executive team in 2020. While information and organizational security are incredibly important to an organization, the entire security paradigm should fall into existing risk management systems. But CSOs will provide regular reports to the executive team and the board, particularly as information security grows in importance.
I don't see today's common business structures changing that much between now and 2020, but with more organizations hiring CSOs, the two existing structures will be solidified.
More on information security
Ten compliance and security tips for SMBs
Risk management strategies tutorial
In one scenario, the CSO reports directly to the CIO and might even be somewhat off to the side of the formal IT organizational chart in order to maintain separation with "line" IT staff. The CSO regularly briefs the CIO on potential security issues and works with IT staff to ensure that any identified security issues are resolved as quickly as possible. In a perfect world, the CSO must sign off on items that could have a security impact, including new system and application deployments. The CSO is also responsible for performing regular penetration tests and generally verifying that the security systems that have been implemented are working well. The downside is that some may see IT as both controlling security as well as controlling the reporting element.
On the flip side, some organizations require that the CSO have a dotted line to the organization's primary risk management officer to maintain effective checks and balances. This structure places the CSO directly inside the realm of the chief risk management officer. Here, the CSO is an outside agent rather than an internal resource for the CIO, and the CSO may or may not have a dotted line to the CIO. The responsibilities are similar, but the CSO may have more veto power over certain IT initiatives and services.
This is happening today to a point, but by 2020, I see the role of the CSO as helping organizations protect them from themselves. Too often, decisions are made that can have a negative security impact on the organization. By 2020, we will see more organizations with fully funded CSO positions, and these CSOs will have significant power when it comes to service acquisition. While they will not be fully autonomous, their signature will be required before the organization can agree to new service contracts and service engagements.
Today, although many organizations have yet to hire CSOs, we are seeing this position added to the payroll in some organizations. By 2020, the CSO will be all but a required position, whether due to complexity or regulation. The structures and responsibilities that are beginning to take hold today will explode as the breadth and depth of the security function grows alongside the expansion of the technology environment.
Scott Lowe is founder and managing consultant of the 1610 Group. A former CIO, he's a frequent contributor to TechTarget, TechRepublic and other IT publications. Write to him at firstname.lastname@example.org or email@example.com, and follow him on Twitter @OtherScottLowe.
This was first published in October 2012