The Evolving IT Risk & Information Security Role

White Papers | September, 2015

By Peter T. Metzger

CEOs and boards today are increasingly interested in probing and understanding the topic of information security and technology risk. That’s no wonder given that security breaches and data compromises are receiving front-page news coverage with increasing frequency—exactly the kinds of events that businesses fear. As a result, IT risk awareness exists at higher levels within organizations than ever before. And that awareness is broader, as IT risk is no longer an “IT issue,” but a business issue, an enterprise issue, and a universal corporate concern. The expansion of technology awareness raises several questions, the most important being, “How do I structure the function and the team to ensure that my organization is sufficiently protected?”

The iPad Phenomenon

New technology—namely, the mobile device—has impacted business and corporate environments more significantly than many would have predicted even a few shorts years ago. Digital devices are replacing older tools, as presentations, transactions, and workflow functions are executed via devices that are more ergonomic and accessible than machines of prior generations. Perhaps the most significant shift has come in the exposure of senior leaders to technology. Technology, a function forever dismissed by CEOs and boards, is suddenly a topic of interest.

Historically, technology leaders struggled to gain the support of top management. The inverted relationship between level of seniority and level of technology understanding resulted in divides between technology leaders and those at the top. Successful Chief Information Officers (CIOs) have managed to breach this divide and gain the trust of their CEOs and board members. Over the years, CIOs have employed various techniques to do this. The entry of technology into the hands of CEOs and board members has made this job easier. The technology divide has rapidly narrowed as senior executives have become more comfortable with technology and with asking the right questions about technology and related management issues.

A primary driver of this has been the introduction of the iPad and, subsequently, other user-friendly tablet devices. Corporate board meetings involving the delivery of stacks of reports and thick binders to members quickly transitioned to digital document distribution with board members preparing for meetings by reviewing information on their tablets. The significance of this has been tremendous, as the devices propelled a generation of technology-obstinate leaders into the modern age. This leap forward has been akin to Rumpelstiltskin awakening under the bridge in an age different from the one he remembered only yesterday. Directors and CEOs awakened suddenly interested in technology issues. They sought out their corporate CIOs and questioned them about technology capabilities and emerging solutions. And, this heightened level of IT interest led to a heightened awareness of IT issues.

This “board-level awareness” has coincided with an explosion of high-profile incidents. The great proliferation of data along with notable failures in properly securing this data has resulted in an increase in catastrophic events in the corporate world. As accounts of these events began to appear on the front pages of global newspapers, board members read the stories with both interest and concern. Almost overnight, senior leaders knew enough to know that their corporations were exposed, and perhaps just lucky. CIOs were called into the boardroom to present the same threat briefing that had been presented in years prior, with little notice by those in attendance. Almost overnight, IT security and IT risk were corporate priorities.

So…Who is Responsible for IT Risk?

The IT risk “hot potato” is one that falls into—and may be tossed back from—the hands of many. Depending on the organization, ultimate responsibility rests in different places. The components of risk, technology, security, and compliance almost guarantee that IT risk involves a matrixed blend of many departments.

Prior to recognizing that IT risk was a team sport, responsibility for IT risk often sat in the CIO’s organization. And, it often sat many layers down. When IT security appeared as a concern more than a decade ago, the term “IT risk” was seldom used. Acknowledging the operational focus rather than the strategic importance, the function was more commonly called “IT security.” Formally originating in the late 1990s within major corporations and financial services firms, the position evolved into the Chief Information Security Officer, or CISO, with the coming of the new millennium.

The early generation of IT security leaders and CISOs came from a number of different backgrounds, but there were three typical CISO evolutionary paths:

pathways_to_modern_CISO_graph.jpg

As the CISO role became more established, the models began to merge. Early stage CISOs often had experience and qualifications in a combination of policy, compliance, and technical areas, with these CISOs often reflecting their industry’s focus. Banking CISOs were commonly the “Soft CISOs,” while those in defense corporations were more frequently the “Security Industry” types. Regardless of industry, over the coming years, the highly technical firewall experts were layered down in organizations as they were commonly viewed as lacking the necessary policy development and implementation skills. Over time, talented leaders emerged from all three of these pathways to become the CISOs of 2005-2010.

Reporting Structures: The Early Years

As information security evolved, the largest organizations with multiple lines of business built out matrixed security functions designed to support businesses and geographies. As complexities increased, corporations created positions at the central enterprise level, typically under the CIO. The corporate/enterprise CISO began to emerge as an executive capable of leading in many areas: security policy, audit, and compliance—but not always security technology, as the combination of these many skills was just too broad. Early CISOs were layered down in the organization, with the role viewed as a preventative and administrative function, rather than one that was strategically critical to the organization. Those early CISOs did not think or operate as holistically as CISOs do today.

Significant changes began to occur in the years 2002 and beyond. A broader recognition of disaster recovery threats came from the lessons of the 2001 terrorist attacks. IT risk began to enter the conversation for CIOs and others, with IT risk gaining recognition at higher and more critical levels. Many industries saw heightened requirements, such as HIPAA in the healthcare industry. Regulatory and compliance demands required greater executive involvement. CISOs began to partner with, and in some cases report jointly to, higher level enterprise risk and compliance executives, while still “solid-line” reporting to the CIO. This drove a need for technically capable CISOs who also possessed strong business-partnering skills. External to the CIO, AML and Anti-Fraud groups matured under operations leaders.

Recent Changes to the Role

In recent years, IT risk responsibilities have become aggregated. Increasingly, there is a holistic approach to information security, governance, risk, HR (employee background checks), vendor management (vendor background checks), IT disaster recovery, and even physical security. Few organizations have successfully aggregated multiple functions under a “Security Czar,” as the Head of Physical Security is not seen as an appropriate manager for the CISO, nor should the CISO manage the Head of Physical Security. Neither is typically viewed as an appropriate candidate for an enterprise risk role, as that role also involves components of business risk. And, AML and Anti-Fraud continue to remain outside of the CISO/IT risk group. Matrix reporting, involving risk, CIO, CISO, and physical security, attempts to tie all aspects of security together, as most organizations focus on partnering rather than formal aggregation of responsibilities. Committees are commonly used to bridge gaps and achieve the holistic focus on cooperation between the many functional leaders whose responsibilities combine to address “IT risk.”

Future Changes to the Role

Some organizations have formally combined these many responsibilities under a single senior leader. Yet the role’s ever greater demands drive the question: “Is this too complex for a single executive to manage?” Is disaggregation of responsibilities the next wave? As banks have grown larger, so too have their IT risk and compliance requirements grown larger and more complex. In the words of one top IT risk executive, “I can no longer do my job…it is too broad for me to manage what I managed a few years ago…The single solution for the future is a co-head management structure that is dependent upon cooperation and teamwork.”

The Changing CISO Role: Aggregation and Possible Disaggregation of Enterprise Responsibilities

changing_CISO_role.jpg

Comments from Top CIOs and CISOs on the Topic of Convergence and the Future

  • “The industry simply got too big…we need to silo responsibilities to maintain focus on the critical parts of the IT risk and CISO roles. Convergence worked in 2004, but it is increasingly difficult today.”
  • “I struggle for succession to my CISO role.…The growing complexities of SOX, risk, security operations, etc., have forced me to build a team of specialists beneath me. Broader executive management skills suffer. If I leave this organization, my job gets broken into many parts. There is simply no one on my team prepared to succeed me. The only path forward, in my opinion, would be a co-co-co leadership team.”
  • “There are only a few true IT risk heads in the industry who are able to lead a complex converged organization, and they are accidents of history who came in with technical capabilities and rode the crest of a wave to ‘see it all,’ ending up in converged IT risk roles.”

Talent Options for IT Risk Leadership

The complexity of an aggregated IT risk leadership role leads most corporations to seriously consider a short list of options for structuring the internal IT risk leadership role and the team. Among the options:

A. Head of IT Risk Executive, who possesses the full scope of skills and responsibilities

  • Market is very limited. Few leaders with the needed range and depth of capabilities exist
  • In many ways, the least practical of all options as this model is the most rare

B. Break the role into a co-leadership arrangement

  • The current approach of most firms and the stated future approach of some that currently have single-point IT risk leaders
  • Recognizes that the span of duties has grown “too large to manage,” but also defeats the intent of many CEOs to aggregate responsibilities

C. Information Security Czar

  • Hire an experienced large scale executive into the role
  • Target sitting/past CIO, COOs, or CROs who have managed large teams and interacted extensively with business leaders
  • While not a highly technical CISO expert, this leader will have managed CISOs in the past and will understand the broader issues, so that he/she can govern the many responsibilities of the role

As the business challenges and responsibilities for IT risk leaders continue to evolve, so too, inevitably, will the targeted talent profile and leadership structure. But there is no doubt that IT risk leadership will only grow in its strategic and business-critical nature in the years ahead.