Chief information security officers are beginning to drift away from their companies' information technology hierarchies, and the career ambitions of their underlings may not look as bright as a result.
It may sound frightening, but it's just a natural industry evolution, according to research findings from Stamford, Conn.-based Gartner Inc.
Its recently released research summary, The top five issues of chief information security officers, outlines key issues challenging CISOs and their organizations heading into 2006. Foremost among them, said author and Gartner Vice President and Role Service Director F. Christian Byrnes, is whom CISOs will report to, and who reports to them.
Even though the CISO position is still relatively new, Byrnes said a number of large organizations with a mature outlook on security have adjusted their hierarchies so that, instead of reporting to a CIO or director of IT, the CISO reports to a chief risk officer (CRO), who answers directly to the CEO or board of directors.
"It just makes life so much easier," Byrnes said, noting that it not only demonstrates that an organization's leaders are dedicated to mitigating business risks, but also makes it easier for CISOs to justify security expenditures. "If you work for the CRO, all you have to do is prove that [a purchase] is an intelligent business decision."
Byrnes said Gartner estimates that 30% of its clients have already adopted the organizational model, and more will over time. He said many CISOs have found that as their companies' understanding of and interest in security increases, their bosses, often CIOs, don't possess the clout needed to accomplish what often amounts to a radical strategic shift.
"We had seen the trend prior to SOX, but since then it's caused the preexisting trend to explode," Byrnes said. "Compliance spending right now is probably close to its peak, but there are still lots of organizations that haven't absorbed how to be compliant."
While the change may make life easier for CISOs, it's not good news for some security specialists. Byrnes said that as the CISO moves out of the IT organization, the security specialists who go with him often find that their careers struggle as a result.
For instance, if a company's CISO is responsible for intrusion detection, then IDS specialists may transition with him or her into a group outside of IT. While that team would likely specialize in monitoring, forensic network analysis and recovery processes, there would be little career development and far fewer opportunities to move up the ladder than in the larger IT organization.
Essentially, Byrnes said, it's an irresolvable conflict.
"The question becomes how many functions should migrate outside of IT, because security has a lot of technical requirements," he said. "We know certain security functions will move out of IT with the security officer, but unluckily that 'dead-ends' most of the other people who make the move."
Plus, Byrnes added, even though risk auditors may like having security functions separated from IT, a CISO would only be responsible for security policy management, calling into question which group has the power and the ability to monitor policy enforcement.
"That brings you right back to the problem of if IT is monitoring enforcement," he said, "and [if] the systems administrator is the person stealing things, who is going to catch them? Who is motivated to?"
Though questions about the changing role of the security officer will linger for some time, Byrnes said the transition will help CISOs be more effective in the long-term. That's because many of them rely on their IT background, mistakenly underestimating the importance of talking with business managers and reaching a common understanding about the role security plays.
"I can give you an hour and a half on why awareness programs haven't worked and where they have to be five years from now," Byrnes said. "If the CISO comes in and focuses on technology, they may never figure out why they were fired."