What a difference a conjunction makes
I’ve noticed lately that a certain little word has crept into a certain title that gives it an entirely different complexion.
CISO to my mind stood for Chief Information Security Officer, that is the chief officer in an organisation whose responsibility was information security. This was chiefly an IT role, though physical security, such as that around data centres and information on physical media, was included.
However, I have noticed a few references in recent times to the Chief Information AND Security Officer. To revert to colloquial parlance, that is not a horse of a different colour, it is indeed, an entirely different horse!
The implication, given the definitions to which one is accustomed, is that a chief information and security officer (let us go with CIaSO) would be the chief of both information and security.
On first seeing the reference, I thought I had, or perhaps someone else had, made a mistake. But there are numerous references, such as a UK NHS Digital CIaSO resigning, and a call for a UK national CIaSO to be appointed in the wake of WannaCry, and also a sterling call to action to have politics taken out of cybersecurity, and for cooperation to prevail. There are even references on the largest of recruitment and professional networking sites advertising for CIaSOs.
On further reading, it would appear that the term CISO and CIaSO are interchangeable. Few seem to be making the, to me at least, obvious distinction that a CIaSO is in fact a merger of the role of CIO and CISO.
This merger does not seem to be a good idea, as the reasons to separate the two are as valid as ever, and given the trends in both the CIO becoming more of a strategist and direct advisor to both business unit leaders and the CEO, and the CISO becoming the critical enabler to safely and appropriately make data sources usable and safe to open up to new analytics tools, it seems even less so.
It may perhaps be just semantics, but it also highlights an important issue for whoever looks after both the information strategy and security efforts of any organisation, that of clear communication of roles and responsibilities.
With the emphasis on IT becoming more of a support to and advisor for all aspects of business, using unclear terminology for key roles is not going to help anyone.
IT has always had issues with communication, not just among techies, but especially further afield, and particularly with the business.
As it becomes evermore important to express the value that IT already provides, and that which it will do in the future, clear, unambiguous language is vital.
So, keep it tight, keep it clear, and above all, make sense. Let’s not have any more proactive, performant, irregardless actioning of pointless terminology that makes things harder to understand.