A recent report by Trellix indicated that due to growing complexity, responsibility, and regulatory accountability, a majority of CISOs believe their role should be split into separate positions.
This finding struck me as a little odd. It seems counterintuitive that CISOs really want their role split between technical aspects and cyber risk leadership?
I cannot image this tactic been successful. First, nobody wants to add more C-level execs. That just complicates leadership circles. Secondly, the risk leadership role needs direct oversight of technical protective aspects, compliance, and behavior/policy, to properly understand and manage overall cyber risks.
I do however believe that depending on the size and complexity of the environment, the technical role should be a reporting function into the CISO. This is also true of other domains like GRC, threat intelligence, risks quantification, and perhaps even privacy!
I don’t see a positive outcome if any of these roles are separated from an existing CISOs oversight. It should not be a split, rather a purposefully designed hierarchical structure under the CISO that will make leader more capable and effective in navigating and steering the risks seas.
Does not seem too smart to carve out such an important aspect!