As I reflect on the many meetings and interactions I have had with CIOs, CTOs, and CISOs as well as my own experiences in each of these roles, and I have noticed some real shifts that have become more pronounced in 2017.
As businesses mandate more innovation driven by technology, it’s not unusual for the role of the CIO and CTO to become more critical. But in many cases, the CISO is becoming more of an after-thought or a checkbox on key initiatives. Should we be concerned?
The morphing of IT from on-premise data centers to cloud-based infrastructure, services and apps means we should expect existing roles to evolve. But that doesn’t mean CISOs are out. The CISO should be leading a strategic corporate shift from on-prem security to managing new risks in the cloud.
It’s a dicey proposition to suggest how you should structure execution of your organization’s business processes. The requirements and end result will vary depending upon need, regulatory requirements, and risk appetite. But after helping many organizations hone their strategy, I canpredict the types of typical requirements needed to implement a cloud-first approach and how they differ from a data center centric approach. And I know what needs to be done for a successful deployment and to maintain a high quality of user experience.
The most important point for security professionals is this: whatever your organization calls the person running security, that individual will clearly be focused less upon on-prem security solutions and will need to shift focus to managing new types of risks associated with the cloud.
The nature of the relationship between the CIO and CISO is changing due to the cloud-first model. It eliminates the requirement to specify, deploy, manage and maintain a range of technologies that are now automatically handled by cloud service providers. The upshot is our prediction of three role shifts for people leading enterprise IT activities.
- CIO shifts from technology first to business first
- CTO shifts from architecting corporate networks to embracing the cloud
- CISO shifts from security and controls to risk and enablement
Briefly, the CIO’s shift reflects how business drivers are now leading the use of technology and not the other way around. The non-technical board of directors can easily see how new companies have leveraged the internet to rapidly build huge profitable businesses and wealth in just a few years. Don’t be so surprised that boards are telling CIOs what the business needs from technology. Many business leaders want the cloud to drive everything.
Since the physical running of IT infrastructure is shifting into the cloud, the roles of IT operations on premises will diminish. There will be a bigger need to coordinate what’s happening in the cloud with business users’ needs wherever they are working. This will be mandatory as enterprise and business apps move into the cloud. The transformation won’t happen overnight as legacy apps will be with us for some time. But the CTO’s need to focus upon on-prem infrastructure will drop off. Engineering the cloud-first approach will dominate the CTO’s focus going forward.
And for the CISO: now is the time to get conversations with the board of directors moving from security technology to a risk-based perspective.
It’s silly to promote a legacy “protect the castle inside the moat” approach when enterprise computing and business apps are in the cloud and not physically on premise. The internet has become “the” network and securing access to it, cloud apps and data must be the new strategic focus.
CISOs should be leading the conversation with business leaders to understand the real risks, as well as the real opportunities, that this new cloud-driven world present. Changing the dialog from “Are we secure” to “Do we understand the risks of operating in this environment and have we mitigated those risks sufficiently”. It’s no longer all about securing the enterprise, that’s shown to be a losing strategy. It is all about treating technology risk the same as market risk or liquidity risk. Namely, identifying the risk, measuring it and mitigating to the extent that it meets the appetite of the business.
For all IT executives, now is the time to prepare for a new chapter in keeping your organization’s IT operations, network and business applications operating with peak performance – and within an acceptable level of risk for the business and its investors. We invite you to watch our webinar for more insights on the evolving CIO | CISO relationship.