Over the past 7 years or so we've had the introduction of the Chief Risk Officer (CRO). Mostly within financials, it's starting to get a lot of steam in other industries. In addition to that role rising we are also seeing, much more recently, the separation of the CISO role to compensate for two different functions. The first is the operational component of security which is the firewall management, vulnerability scanning, incident response, etc. The second being the governance and risk management disciplines that are still fairly new to our industry. What's interesting is that I'm starting to see, for the first time, that actual separation of the CISO role, which used to contain both of those roles, and become separated. The operational role is staying with the CIO or respective head of technology and the risk component is moving to the CRO organization. Some have call it Information Risk Officer (IRO).
I think, where it's fairly new now, it will be the migration of the CISO role. We could eventually see the CISO role deprecated completely in 5-10 years as this picks up steam. Where some might see this as the end of our ability to properly secure our environments I see this as a fantastic opportunity to drive proper risk management into corporations. With that, Information Risk or security risk should be a major part of it. Historically, we've struggled at creating and implementing a good risk management approach in industry and we are just now breaking through that ceiling. I see this as an opportunity to shatter that and accelerate our ability to move our industry forward.
So what's a current CISO to do? Like my mother always said "Do what you love". Are you a risk / governance individual or an operational one? To that intent, learn and grown that discipline and market it internally. If you are a IRM individual learn the other disciplines of governance and risk and learn how to include security into that ERM model.