In my 10+ years as a CISO, I’ve noticed a trend that appears to only be increasing. What I have observed is a proliferation of job titles that rhyme with CISO. But rather than describing the Chief Information Security Officer, these new titles swap out the word “chief” and come up with something else to describe something different.
There’s the BISO, or Business Information Security Officer, who has some level of responsibility for a specific part of a firm’s business. They are expected to be part of the business unit they are responsible for. In other words, knowing the business is as important as knowing security.
The BISO is not to be confused with the TISO, or Technical Information Security Officer. This individual is more technically focused and might serve multiple BISOs in complementing the BISO’s business acumen with their technical expertise.
You might see a Network Information Security Officer, or NISO, where the word “network” can mean minding security for layers 1 through 4 of the OSI stack or refer to the NISO being a kind of mega-BISO who takes care of an interconnected group of business entities within a complex Enterprise.
If the business is divided into divisions, you might find a DISO and, likewise, if the structure is regional, you might find a RISO. To be fair, I’ve never seen a RISO title. Usually, the regional security heads are called by names like “CISO for EMEA” or “Deputy CISO, APAC region.”
And then there are the companies that are bashful about appointing a CISO and give their head of Information Security titles like “Director of Information Security.” To them we say, either call that person a CISO – and give them the commensurate responsibilities – or go get one. As I’ll argue below, there’s something that can get missed in this game of “ISO scrabble.”
Some CISOs I know responded to this sprawl of ISO job titles by adding “worldwide” or other descriptors as a preface to their title. After all, there should be one Chief and it is important to make sure that there is no confusion about it.
Human Resources, Executive Management, and sometimes even the Board has a direct say in all of this, of course. We can’t simply pin the existence of so many ISOs on the CISO. In fact, some of these ISOs might not report directly to the company’s CISO. Sometimes, there are so many dotted lines, you’d think that the org chart was printed out on an old, cheap dot matrix printer.
The first thing to emphasize about this jumble is: there’s more than enough work to go around. Call yourself Dr. Faustus for all anyone cares, just protect the Enterprise. Organizing that work is one reason these sub-CISO titles came into being. The titles legitimately describe and put limits on a function. You, X-ISO, need to focus on “X” and leave the rest to someone else (Y-ISO, Z-ISO, etc.?).
Then there’s the need to satisfy the ambitions of people with these positions. Consider it a compromise between where they are and where they want to be. “You are not the CISO, but, hey, this is close to being the CISO (just squint when you read your business card).”
Ending job titles in “Information Security Officer” is attractive to everyone involved. The security frameworks (ISO/IEC 27001:2013: 5.1 and 5.3 and NIST Cybersecurity Framework ID.GV-2, for example) all demand that roles and responsibilities be defined such that people are committed to staffing the security program. And nothing says commitment and, as applicable, compliance better than dedicated resources, and nothing says Information Security resources are dedicated better than making them Information Security Officers.
Now I’ll get to the point.
I would argue that the letter at the END of the acronym is way more important than the letter at the beginning. It’s the “O” for “officer” that matters most. Being an “officer” needs to mean something. This is where things get lost and too fuzzy sometimes.
It is important that people manage processes and teams. When they do that, regardless of their title, they are “managers.” It is important that work is directed and prioritized. People who do that are functioning as “directors.” People with the title Manager or Director can be at any level in the organization. Of course, there may be job classification schemas in an organization that dictate where they fall, but the functions do not limit the level. Likewise, being an “officer” does not mean you are at a particular level.
What being an officer does mean is that you are responsible for the objectives of the security program. Sometimes that means you manage, sometimes you direct. Sometimes you analyze, sometimes you observe and sometimes you consult. Sometimes you approve and sometimes you reject policies and their exceptions. Sometimes you might roll up your sleeves and configure a firewall (hint: “permit ip any any” is bad).
Being an officer should mean that the objective is more important than the tasks at hand. You can’t stand on ceremony if your job is to stand between the threats and what you’re protecting. The Information Security Officer owns protecting the company’s information assets. If a vulnerability or risk to the organization and the assets you’re protecting is in your view, then it is in your purview.
If an organization wants someone to solely manage a team or process, then they should call that individual an Information Security Manager. If they want someone to solely direct a function or set of functions, then they should hire an Information Security Director. If, on the other hand, they decide someone should be called an Information Security Officer, then expect and accept that that person’s scope goes beyond just managing or directing.
There might be more important organizational considerations when evaluating the security function in an Enterprise. “Who does the CISO report to” is discussed a lot more than who has what job title. But to the extent that job titles reflect roles and responsibilities, it’s worth considering just what makes an “officer” an Officer.