Let me start with two recent experiences I have had.
Just recently, I was sitting in front of a number of CISOs and had the opportunity to ask them how many of them also had responsibility for IoT and smart manufacturing in their organization. The simple answer: none of the CISOs had. At best, they were informed, but neither responsible nor accountable.
The other one was a conversation in which a business partner, in the context of my recent blog post on Shodan, started complaining about the ignorance of CIOs and CISOs regarding the risks for both Operational Technology environments in smart manufacturing and for IoT in connected things.
While these days we can read a lot about the future role of CIOs, the even more important question appears to be the new role of the CISO and what the future IT security organization must look like.
The fundamentals for restructuring the (not only IT) security organization are:
- Governance and operations must be kept separate.
- Operational aspects of security must move into the business divisions, e.g. manufacturing or R&D (when e.g. developing connected things)
- There must be a comprehensive responsibility for security, across business IT, OT (including but not limited to smart manufacturing), and IoT security.
Just as we have legislative, executive, and judiciary split in government, we need to split responsibilities in our organization. That, in consequence, means that the CISO must not be a subordinate to the CIO, but part of the governance organization. Given the current state of cyber risk, the CISO should be a direct report to the board, in particular to the board member owning responsibility for governance, which most commonly is the CFO or COO.
Unfortunately, the role of CISOs is heavily undervalued in many organizations, which might relate back to the days where organizations did not need a CISO but only had a corporate data protection officer with limited responsibilities. That has changed, and it must become reflected in the organizational structure. I have seen large multi-national organizations where the CISO is three levels below the board, which is just ridiculous.
For the (not only) IT security organization, keeping governance and operations separate also means that there is security governance and security operations. Implementing security is an operational task. It must become an integral part of organizational entities. There must not be separate security organizations anymore, but security must be part of each area of IT, wherever applicable to manufacturing, and part of everything from research to support around connected devices. But governance, from guidelines to auditing, is the job of the CISO.
Notably, there is one part of the security organization that appears to be operational, but should belong to the CISOs department: what we commonly call Security Operations Centers (SOCs) is from my perspective part of the governance function, not the operational function within security. Aside from that, it is cross-divisional (Business IT, OT, etc.), thus it is best placed in the CISOs responsibility.
With the broader view on security, beyond business IT, and the hyper-connected environments we already have, we must get rid of siloed approaches. Smart manufacturing is about connecting business IT and manufacturing. Thus, there must be a central responsibility for IT governance, while operational implementation of security must happen in in the various divisions, with well-defined communication and interfaces in between.
As implementing security becomes part of the operational responsibility, it also should become one of the manager’s objectives. If a manager fails in risk identification and mitigation, he has failed in achieving his business targets. As of today, risk ignorance appears to be the better choice for many managers in trying to achieve their targets. Risk mitigation causes cost. This is a challenge from a short-term, personal perspective. From a mid-term perspective, understanding risks, mitigating these or at least preparing for incidents will save money – which is a positive from an enterprise perspective. Fixing audit findings in “panic mode” costs far more than any other approach.
Redefining the role of the CISO the way described above will also help in getting better in dealing with risks ahead of incidents, because the CISO’s job is to identify risks and propose mitigations – not to ignore them.