Security Magazine logo
search
cart
facebook twitter linkedin youtube
  • Sign In
  • Create Account
  • Sign Out
  • My Account
Security Magazine logo
  • NEWS
    • Security Newswire
    • Technologies & Solutions
  • MANAGEMENT
    • Leadership Management
    • Enterprise Services
    • Security Education & Training
    • Logical Security
    • Security & Business Resilience
    • Profiles in Excellence
  • PHYSICAL
    • Access Management
    • Fire & Life Safety
    • Identity Management
    • Physical Security
    • Video Surveillance
    • Case Studies (Physical)
  • CYBER
    • Cybersecurity News
    • More
  • BLOG
  • COLUMNS
    • Cyber Tactics
    • Leadership & Management
    • Security Talk
    • Career Intelligence
    • Leader to Leader
    • Cybersecurity Education & Training
  • EXCLUSIVES
    • Annual Guarding Report
    • Most Influential People in Security
    • The Security Benchmark Report
    • The Security Leadership Issue
    • Top Guard and Security Officer Companies
    • Top Cybersecurity Leaders
    • Women in Security
  • SECTORS
    • Arenas / Stadiums / Leagues / Entertainment
    • Banking/Finance/Insurance
    • Construction, Real Estate, Property Management
    • Education: K-12
    • Education: University
    • Government: Federal, State and Local
    • Hospitality & Casinos
    • Hospitals & Medical Centers
    • Infrastructure:Electric,Gas & Water
    • Ports: Sea, Land, & Air
    • Retail/Restaurants/Convenience
    • Transportation/Logistics/Supply Chain/Distribution/ Warehousing
  • EVENTS
    • Industry Events
    • Webinars
    • Solutions by Sector
    • Security 500 Conference
  • MEDIA
    • Videos
      • Cybersecurity & Geopolitical Discussion
      • Ask Me Anything (AMA) Series
    • Podcasts
    • Polls
    • Photo Galleries
  • MORE
    • Call for Entries
    • Classifieds & Job Listings
    • Continuing Education
    • Newsletter
    • Sponsor Insights
    • Store
    • White Papers
  • EMAG
    • eMagazine
    • This Month's Content
    • Advertise
  • SIGN UP!
CybersecurityManagementPhysicalSecurity Enterprise ServicesSecurity Leadership and ManagementLogical SecuritySecurity & Business ResilienceSecurity Education & Training

The Changing Role of the CISO

How is the role of the CISO evolving, and what do physical enterprise security executives need to know about it?

By Diane Ritchey
SEC0220-Cover-slide2_900px

Rinki Sethi, CISO at Rubrik

SEC0220-Cover-slide4_900px

“No one will improve the security of the planet if there’s not significantly money spent,” says Michael S. Oberlaender, a CISO and CSO, author and subject matter expert who has worked in global executive level security roles and in IT both in the U.S. and EU for more than 25 years. “Security requires an awful lot of money, and we, as an industry, have not spend it for decades. And now we have to pay for the things of the past.”

Photo courtesy of Michael Oberlaender

SEC0220-Cover-slide3_900px

Both the CSO and CISO should have a seat on their company’s Board, says George Finney, Chief Security Office for Southern Methodist University. “CEOs now get fired because they didn’t understand cybersecurity, right? That’s a real opportunity for both roles to be there.”

Photo courtesy of George Finney

SEC0220-Cover-Feat-slide1_900px

John McClurg, Senior VP and CISO, BlackBerry

SEC0220-Cover-slide2_900px
SEC0220-Cover-slide4_900px
SEC0220-Cover-slide3_900px
SEC0220-Cover-Feat-slide1_900px
February 3, 2020

A recent Ponemon Institute report noted that the C-Suite now, more than ever, understands that just one serious security incident or data breach could derail the growth and profitability of their companies because of impact to brand and the cost to remediate, fines and legal fees and customer loss. As a result, the role of the Chief Information Security Officer (CISO) is growing in importance, as is the need to have an enterprise-wide IT security strategy that supports the company’s mission and goals.

Why does all of that matter to physical enterprise security?

Two reasons, says John McClurg, Sr. VP and CISO at BlackBerry. McClurg is an enterprise security executive, who advanced a CSO role at Dell, as well as at Honeywell International and Lucent/Bell Laboratories.

First, an elevated focus on the growing interdependencies between the physical and cybersecurity worlds leads to the consideration of a converged organizational structure, under an CSO who has both cyber and physical security responsibilities.

“I first saw convergence with my role at Lucent,” McClurg says, “The older view of separating physical and logical security is changing in enterprises, to where it is now quite common to find corporations where the corporate security and IT security worlds are fused together. Both roles don’t get appreciation every day, but they certainly get the blame when it goes wrong.”

Bringing two such distinct disciplines together is not easy. The personality types of corporate and cybersecurity directors can be very different, simply by the roles they’re hired to fill. However, says McClurg, “You need to coordinate and work hand and glove together so neither side is surprised, in order to execute solutions. That requires the cooperation with the IT side that owns the company network.”

Another reason, says McClurg, is that increasingly, both physical and IT Security programs have the same reporting structure, whether it’s to the CEO or the CFO.

“I have reported to many CFOs in my career, and there is something appealing about reporting to the guy who holds the dollars,” McClurg says. “A challenge with reporting to the CEO can arise out of the management principle of span of control, wherein a CEO may not be able to handle a large number of direct reports. That can introduce the risk of serving them all less well.”

One challenge with a converged organization, says McClurg, is that many SMBs don’t have a CISO position. “This is where we might consider a virtual CISO, an individual who may be part-time, who may work remotely, like a timeshare in the real estate world. They may bring their expertise, for a short or long period of time, to make critical decisions, or maybe just fine-tune some things for a while. That’s another way in which the role of the CISO is evolving.”

In addition, says McClurg, CISOs are being named to Boards of Directors of organizations other than their own. “That’s an indication of a Board’s appreciation of the criticality ascribed to the role,” he notes. “Our expertise and insights are needed and our skills are being appreciated. Boards now want the added assurance that their understanding of their situation, over which they have a fiduciary responsibility, is free and clear of any biases that might tilt their perception of how the security in their corporation is working.”

A Seat at the Table

Both the CSO and CISO should have a seat on their company’s Board, adds George Finney, Chief Security Office for Southern Methodist University. “CEOs now get fired because they didn’t understand cybersecurity, right? That’s a real opportunity for both roles to be there.”

“From my perspective, being in cybersecurity for a long time, you just can’t have cybersecurity evolve without physical security doing the same,” he adds. “If you don’t get physical security right, you can’t guarantee the cybersecurity of your organization. And the opposite is also true. The two go hand-in-hand. That’s how you prevent crime. That’s how you ensure the safety of your community.”

Finney shares the story of a bank that had to replace all security cameras at all of their branch locations because hackers had taken over the cameras. But the hackers were so embedded in the physical security system that the bank ended up replacing its entire security system. “That’s a monumental failure, and it’s why the two roles have to work hand in hand,” he says.

When the two roles don’t work together, Finney says, it’s often because cybersecurity professionals like to “play our cards close to the vest. We don’t like to share, because it’s embarrassing to admit a breach. But to be secure, we all need to share information.”

As an industry, as well, Finney suggests that security vendors who lead with fear should not be doing so. “One vendor tried to pitch us on using their facial recognition technology by telling us that a Florida school shooting would not have happened if the school had used their company’s technology. That’s a horrible sales technique. Stop selling security by using fear and, instead, build relationships.”

Michael S. Oberlaender, a CISO and CSO, author and subject matter expert who has worked in global executive level security roles and in IT both in the U.S. and EU for more than 25 years, says he has seen the progression of the CISO role, including some of the incorrect ways it has been set up in many organizations. He says, “It’s not easy because what I have observed is an uphill battle, where often, the CISO role is under the CIO or CTO realm, which makes the road ineffective and inefficient. Technology is about full and easy functionality while security means literally least privileges. And most organizations either don’t care or don’t really understand the issue.”

He adds, “We all know that security is not a technology problem. It is a business problem. And it needs to be decided on from a business perspective. How much money do we want to spend? What changes do we want to make? Do we change the processes, or the culture? Do we put security first or functionality first? Unfortunately, many companies are short-cutting it and then wonder later down the road why the data breach took place.”

Oberlaender advocates that the CISO should report to the CEO and have a seat on the Board of Directors. “The CEO is the best person to report to because that person has a lot of visibility and execution power.” But why isn’t that happening in all companies?

“Often, CEOs don’t understand security, don’t have the time, or don’t want to spend the necessary time to ask the right questions. They think they can delegate it and then it goes away. But it doesn’t go away,” says Oberlaender. “You can’t outsource accountability or responsibility. Slowly, but steadily, it is improving, where the CISO reports to the CEO. But it is not the majority. It’s much more advanced in other countries. For example, in Israel, law dictates that the CISO reports to the CEO. Israel is one of the most secure countries, as most security vendors either come from Israel or have a large subsidiary in Israel.”

He adds that most CEOs have the resources, time and knowledge in the space to be educated about security. “It is, in my view, sheer denial of the facts.”

Debby Briggs, CSO for NETSCOUT, adds that a CISO’s reporting structure is critical. “The CSO and the CISO, don’t own the risk, but our job is to educate and inform everybody within the company, including the C-Suite and the Board of Directors on the risks and what we can do to mitigate them. So the risk appetite is really set by the Board and all the C-Suite team members. I report into my CIO, and he’s great, but there are times when my agenda and the agenda of my team is different than my CIO’s agenda. If I was designing an organization from scratch, I think the CISO or the CSO should report into the CEO. I think you will see that evolve as more Boards are taking a more active role in cybersecurity and physical security.”

According to Oberlaender, another way in which the CISO role is progressing is where he/she will have an independent budget. “Getting a budget independent from the IT spend or the technology spend gives more power and execution ability, in addition to better oversight, more independence and more governance. That independent budget will allow for investments in the necessary people, tools and technologies and process changes. It’s like buying a car. If you have money in your pocket, you can purchase a car. If you find the car that you want or if there is currently a shortage on cars, that’s a different story. But at least you have the financial ability to do so.”

Similar to Finney and McClurg, Oberlaender stresses the importance of having a converged enterprise, where the CISO and CSO roles work together. “Convergence has been discussed for years, but it isn’t always happening,” he says. “And it doesn’t make sense not to do so, as essentially, the same thought processes, same methods and same functions are there. They just translate into different ways of achieving a goal. There is access control in the physical space and the IT space, for example. There are still a lot of companies that still don’t have it combined in the right fashion.”

Privacy Issues

Yet an additional way in which the CISO will be elevated in an enterprise, Oberlaender says, is privacy issues, in the form of the GDPR and the CCPA in California. “Security is a bigger problem than privacy,” he says, “but I wonder why we have made more progress on privacy? Why don’t we have (at least) national legislation on cybersecurity? It would make sense to have a security standard that the entire world (similar to GDPR on the privacy side) can apply, so the hackers are not always ahead of the game and security is playing catch-up.”

Privacy issues will be an opportunity for CISOs and CSOs to advance their role, Briggs adds. “At first, GDPR was pretty prescriptive, but now, instead of having one national data privacy regulation in the U.S., we’re going down the road where we could end up with 50 of them, which will become very hard to manage. CISOs can help build in the technical controls required for GDPR compliance.”

Rinki Sethi, CISO at Rubrik, agrees with Briggs. She sees the rise of a new organization emerging, the Data Trust Office, to help businesses rethink how they are organized around security, privacy and customer trust. This new function would collaborate with other the CISO and other business units to ensure that legal obligations are not only met, but the right security controls are in place to protect data within the entire company.

At Rubrik, Sethi is responsible for building the company’s security strategy, which includes data security. She presents to the company's Board of Directors on a regular basis  to keep them apprised of developments across security and compliance. Sethi and her executive team work together on a number of issues on a regular basis, she says, “to ensure that we have given the issue the proper response and to ensure that we can prevent it from happening again.”

 

KEYWORDS: CISO cyber security cybersecurity data breach Information Technology Security

Share This Story

Looking for a reprint of this article?
From high-res PDFs to custom plaques, order your copy today!

Diane 2016 200

Diane Ritchey was former Editor, Communications and Content for Security magazine beginning in 2009. She has an experienced background in publishing, public relations, content creation and management, internal and external communications. Within her role at Security, Ritchey organized and executed the annual Security 500 conference, researched and wrote exclusive cover stories, managed social media, and authored the monthly Security Talk column.

Recommended Content

JOIN TODAY
To unlock your recommendations.

Already have an account? Sign In

  • Security's Top Cybersecurity Leaders 2024

    Security's Top Cybersecurity Leaders 2024

    Security magazine's Top Cybersecurity Leaders 2024 award...
    Top Cybersecurity Leaders
    By: Security Staff
  • cyber brain

    The intersection of cybersecurity and artificial intelligence

    Artificial intelligence (AI) is a valuable cybersecurity...
    Logical Security
    By: Pam Nigro
  • artificial intelligence AI graphic

    Assessing the pros and cons of AI for cybersecurity

    Artificial intelligence (AI) has significant implications...
    Logical Security
    By: Charles Denyer
Subscribe For Free!
  • Security eNewsletter & Other eNews Alerts
  • eMagazine Subscriptions
  • Manage My Preferences
  • Online Registration
  • Mobile App
  • Subscription Customer Service

More Videos

Sponsored Content

Sponsored Content is a special paid section where industry companies provide high quality, objective, non-commercial content around topics of interest to the Security audience. All Sponsored Content is supplied by the advertising company and any opinions expressed in this article are those of the author and not necessarily reflect the views of Security or its parent company, BNP Media. Interested in participating in our Sponsored Content section? Contact your local rep!

close
  • Crisis Response Team
    Sponsored byEverbridge

    Automate or Fall Behind – Crisis Response at the Speed of Risk

  • Perimeter security
    Sponsored byAMAROK

    Why Property Security is the New Competitive Advantage

  • Duty of Care
    Sponsored byAMAROK

    Integrating Technology and Physical Security to Advance Duty of Care

Popular Stories

Red laptop

Cybersecurity leaders discuss Oracle’s second recent hack

Pills spilled

More than 20,000 sensitive medical records exposed

Coding on screen

Research reveals mass scanning and exploitation campaigns

Laptop in darkness

Verizon 2025 Data Breach Investigations Report shows rise in cyberattacks

Computer with binary code hovering nearby

Cyberattacks Targeting US Increased by 136%

2025 Security Benchmark banner

Events

May 22, 2025

Proactive Crisis Communication

Crisis doesn't wait for the right time - it strikes when least expected. Is your team prepared to communicate clearly and effectively when it matters most?

November 17, 2025

SECURITY 500 Conference

This event is designed to provide security executives, government officials and leaders of industry with vital information on how to elevate their programs while allowing attendees to share their strategies and solutions with other security industry executives.

View All Submit An Event

Products

Security Culture: A How-to Guide for Improving Security Culture and Dealing with People Risk in Your Organisation

Security Culture: A How-to Guide for Improving Security Culture and Dealing with People Risk in Your Organisation

See More Products

Related Articles

  • Security Talk Default

    The New CISO: How the Role Has Changed

    See More
  • CISO

    Measuring the CISO's Evolving Sphere of Influence

    See More
  • The Rising Role of Women in Security - Security Magazine

    2018 Security Leadership Issue: The Rising Role of Women in Security

    See More
×

Sign-up to receive top management & result-driven techniques in the industry.

Join over 20,000+ industry leaders who receive our premium content.

SIGN UP TODAY!
  • RESOURCES
    • Advertise
    • Contact Us
    • Store
    • Want More
  • SIGN UP TODAY
    • Create Account
    • eMagazine
    • eNewsletter
    • Customer Service
    • Manage Preferences
  • SERVICES
    • Marketing Services
    • Reprints
    • Market Research
    • List Rental
    • Survey/Respondent Access
  • STAY CONNECTED
    • LinkedIn
    • Facebook
    • YouTube
    • X (Twitter)
  • PRIVACY
    • PRIVACY POLICY
    • TERMS & CONDITIONS
    • DO NOT SELL MY PERSONAL INFORMATION
    • PRIVACY REQUEST
    • ACCESSIBILITY

Copyright ©2025. All Rights Reserved BNP Media.

Design, CMS, Hosting & Web Development :: ePublishing