In some big companies it does make sense to have a polished CISO who is responsible for working both the Boardroom and the IT Executive management group. In those cases a strong security focused Deputy CISO should be considered for the heavy Security lifting that is also required. As a CIO friend of mine told me recently both of those skills is very hard to find in a single person.
My primary concern is for mid-range and smaller companies that want a CISO and are unsure of what skill set is most needed on the part of their CISO to fight organized crime, unscrupulous competitors or nation state actors. I believe that they are making a mistake with some current hires I have observed.
A somewhat scary trend that I am starting to see is now that CISO salaries are going up companies are putting Deputy or Associate CIO’s in those positions. This makes sense if we consider human nature as the CIO’s seem to be more comfortable with someone who is not “such a security guy or girl” talking to Executive Management.
Of course this approach continues to severely downplay the S (Security) component of the CISO role and is yet another path which, IMO, will lead to failure in the fight against Cyber Criminals. In many cases we need to move to having a ciSo instead of CIsO (a catch-phrase I am trying to get to catch on) and remember that it takes trained and experienced security professionals to fight organized crime, unscrupulous competitors and nation state actors. In my opinion the S in the ciSo title needs to carry the most weight for the majority of companies in their fight against cyber crime.