A recent report by Trellix indicated that due to growing complexity, responsibility, and regulatory accountability, a majority of CISOs believe their role should be split into separate positions.

This finding struck me as a little odd. It seems counterintuitive that CISOs really want their role split between technical aspects and cyber risk leadership?

I cannot image this tactic been successful. First, nobody wants to add more C-level execs. That just complicates leadership circles. Secondly, the risk leadership role needs direct oversight of technical protective aspects, compliance, and behavior/policy, to properly understand and manage overall cyber risks.

I do however believe that depending on the size and complexity of the environment, the technical role should be a reporting function into the CISO. This is also true of other domains like GRC, threat intelligence, risks quantification, and perhaps even privacy!

I don’t see a positive outcome if any of these roles are separated from an existing CISOs oversight. It should not be a split, rather a purposefully designed hierarchical structure under the CISO that will make leader more capable and effective in navigating and steering the risks seas.