Tip

The chief security officer of the future will tackle decentralized IT

    Requires Free Membership to View

Scott Lowe

Although many midmarket and SMB organizations have yet to dedicate a staff member solely to the information security role, the time to do so might have arrived. IT organizations are at a crossroads today, and the need for such an assignment is growing by leaps and bounds as organizations fall under ever more burdensome regulations. Security professionals will be in high demand as organizations branch out to leverage new trends and opportunities, such as bring-your-own-device and cloud services.

Here's what the role of a chief security officer (CSO) might look like in 2020.

The need for a chief security officer

Today's technology environments are spreading like wildfire. Connectivity to multiple disparate networks is seen as the norm, and organizations are increasing both the amount of gear they deploy and the number of applications they support. What's more, smartphones really are full computers that employees carry with them wherever they go, whether to a meeting, the boss' office, a movie, lunch or the offices of a competitor. This is technology that can be used for good -- or for evil.

By 2020, organizations will adopt multiple services from the cloud, bring your own device (BYOD) will be a way of life and the chief security officer will need to understand exactly how everything fits together. Today, organizations already struggle with BYOD and its security implications; by 2020, almost all employees will have smartphones and tablets, as well as the 2020 mobile device du jour.

There's more to consider. By 2020, cloud services will integrate more seamlessly into existing IT environments. I see cloud becoming just another services tier in many cases, but there will be a lot of hooks into the environment, and every single hook will be a potential security risk. Further, as more cloud services come into the organizations, CSOs must review the vendor's security posture for each and every service as part of the acquisition decision.

In short, the CSO of 2020 will confront a massively decentralized environment that requires attention on multiple fronts.

Two views on the chief security officer role

Perhaps to the dismay of security professionals, the chief security officer still won't be considered a full member of the executive team in 2020. While information and organizational security are incredibly important to an organization, the entire security paradigm should fall into existing risk management systems. But CSOs will provide regular reports to the executive team and the board, particularly as information security grows in importance.

I don't see today's common business structures changing that much between now and 2020, but with more organizations hiring CSOs, the two existing structures will be solidified.

More on information security

Ten compliance and security tips for SMBs

Risk management strategies tutorial

In one scenario, the CSO reports directly to the CIO and might even be somewhat off to the side of the formal IT organizational chart in order to maintain separation with "line" IT staff. The CSO regularly briefs the CIO on potential security issues and works with IT staff to ensure that any identified security issues are resolved as quickly as possible. In a perfect world, the CSO must sign off on items that could have a security impact, including new system and application deployments. The CSO is also responsible for performing regular penetration tests and generally verifying that the security systems that have been implemented are working well. The downside is that some may see IT as both controlling security as well as controlling the reporting element.

On the flip side, some organizations require that the CSO have a dotted line to the organization's primary risk management officer to maintain effective checks and balances. This structure places the CSO directly inside the realm of the chief risk management officer. Here, the CSO is an outside agent rather than an internal resource for the CIO, and the CSO may or may not have a dotted line to the CIO. The responsibilities are similar, but the CSO may have more veto power over certain IT initiatives and services.

This is happening today to a point, but by 2020, I see the role of the CSO as helping organizations protect them from themselves. Too often, decisions are made that can have a negative security impact on the organization. By 2020, we will see more organizations with fully funded CSO positions, and these CSOs will have significant power when it comes to service acquisition. While they will not be fully autonomous, their signature will be required before the organization can agree to new service contracts and service engagements.

Today, although many organizations have yet to hire CSOs, we are seeing this position added to the payroll in some organizations. By 2020, the CSO will be all but a required position, whether due to complexity or regulation. The structures and responsibilities that are beginning to take hold today will explode as the breadth and depth of the security function grows alongside the expansion of the technology environment.

Scott Lowe is founder and managing consultant of the 1610 Group. A former CIO, he's a frequent contributor to TechTarget, TechRepublic and other IT publications. Write to him at editor@searchcio-midmarket.com or tt@slowe.com, and follow him on Twitter @OtherScottLowe.

This was first published in October 2012

There are Comments. Add yours.

 
TIP: Want to include a code block in your comment? Use <pre> or <code> tags around the desired text. Ex: <code>insert code</code>

REGISTER or login:

Forgot Password?
By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy
Sort by: OldestNewest

Forgot Password?

No problem! Submit your e-mail address below. We'll send you an email containing your password.

Your password has been sent to:

Expert Discussion

Has your organization hired a chief security officer?

Scott Lowe
What's your opinion?
TIP: Want to include a code block in your comment? Use <pre> or <code> tags around the desired text. Ex: <code>insert code</code>

REGISTER or login:

Forgot Password?
By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy
Sort by: OldestNewest

Disclaimer: Our Tips Exchange is a forum for you to share technical advice and expertise with your peers and to learn from other enterprise IT professionals. TechTarget provides the infrastructure to facilitate this sharing of information. However, we cannot guarantee the accuracy or validity of the material submitted. You agree that your use of the Ask The Expert services and your reliance on any questions, answers, information or other materials received through this Web site is at your own risk.