The role of CISO can be a challenging, thankless position. As modern enterprises – and the corresponding attack surfaces that CISOs are charged with protecting – have evolved in recent years, the job has become exponentially harder. There are a number of contributing factors to the curve getting steeper, but the root cause is simple: organizational structure.
The standard design of IT Operations and Security Operations under separate leadership is crippling our ability to improve our IT operational discipline, improve security and reduce risk. This is why I’ve advocated for an organizational change for many years now: we must align all operational activity under a single unified operational leader: the Chief Infrastructure and Security Officer.
The primary issue for CISOs is the misalignment in org design between accountability and responsibility. These siloed orgs make CISOs accountable for security measures they can’t implement because they lack control over the necessary IT functions. This results in environments with underdeployed tools, unpatched assets, and other environmental vulnerabilities.
Major breaches, like those at Solarwinds and United Healthcare, make that clear: a US Senator grilled Equifax’s CISO in 2017 for lack of an asset inventory – an IT responsibility. Under these org designs, CISOs are set up to fail, unable to protect their organizations effectively.
This situation exemplifies Conway’s Law. Melvin Conway, a computer scientist, stated in 1967 that “Any organization that designs a system will produce a design reflecting the organization’s communication structure.” Senior software development leaders often say, “you ship your org chart,” emphasizing the inescapable impact of organizational structure on system design. Decades of research, including studies by industry stalwarts like Microsoft, support this.
The majority of that research is focused on large-scale software development, which takes months to years to produce a unified system from multiple sub-systems that must interact. But the effect of Conway’s Law is even more pronounced when applied to operational systems where teams of people must interact with each other on a daily basis like IT and Security Operations.
I first wrote about this in 2017. At that time, only a few organizations experimented with different organizational structures. In the seven years since, many more organizations have reshaped their org structures. Since Sevco addresses problems at the intersection of IT and Security, we interact with hundreds of teams across various companies, witnessing firsthand how they navigate these challenges.
In the most successful organizations, the CISO has become the Chief Infrastructure and Security Officer. The CISO reports to the CIO, but IT operations and network operations – all the core infrastructure – are part of the CISO’s org, in addition to Security operations. The CIO’s other teams handle the help desk, service desk, and enterprise applications: the customer-facing parts of the organization.
In this structure, the CISO is accountable for not just security but also availability. This structure aligns accountability with responsibility and empowers the CISO to manage security, availability, and business goals.
As an industry, we have been investing in security for more than a decade, but we have reached the point of diminishing returns. Continued investment in security will not see the same gains because the next challenges security leaders face are hampered by functional silos and the realities of Conway’s Law. While cross-functional collaboration is possible, it is slow, costly, and often fails to meet business demands. In order to truly empower CISOs and their teams, organizations need to rethink the basic organizational structures that are holding them back.