CISOs grew up in the CIO’s blindspot. As cloud and SaaS bring IT and security back together, which will survive their impending deathmatch?
A half-century ago, most corporations were paper-native: Their business processes all executed on paper from both back office (accounting) to go-to-market functions (sales and marketing). Their businesses were location-native: Revenue was often generated in some form of person-to-person transactions, supported by that paper-native back office.
As first computers, and then networks, became popular and affordable, businesses shifted from paper-native to compute-native, and at some point, network-native. You couldn’t conceive of an enterprise that did not, as one of its first orders of business, build a network for both its servers and its end users and give them computers as a primary tool for getting their jobs done. The rapid pace of innovation in the modern information ecosystem drove the rise of the CIO, first as an executive to manage systems but then leading an IT organization to support the digital transformation of business processes.
But IT is expensive and not just in hardware, software, and licensing. User support, change management, and vendor management all bring increasing costs to a business, and all those expenses fall under one individual: the CIO. Increasingly, CIOs are pressured to reduce costs more than they are pressured to drive innovation (in some enterprises, CIOs report to the CFO, which solidifies this mandate). The CIO becomes the corporate personification of the 80/20 rule: Satisfy 80% of the need at 20% of the spend.
Shadow IT gives rise to the CISO
This happens right about the time that the rise of the internet shifts corporate revenue streams from in-person or call-center based to the internet. Even as the back-office has become network-native, the applications that drive the business start to become internet-native. With CIOs driven to reduce costs, IT teams became less agile in response to novel demands. The rise of innovative platforms, from e-commerce to apps, was led by engineering teams: the first shadow IT applications. Unsupported by IT, these applications quickly became mission-critical. Security professionals tackled their security challenges, and the CISO was born.
For much of the last 20 years, this dynamic has held: The CIO owns a large, often monolithic, domain, while the CISO deals with protecting the chaotic environment of shadow IT. There’s some overlap (like ownership of IT security), but by and large, this has been a stable model. Then along came cloud.
The cloud challenges the CIO model
The rise of the cloud-native enterprise was the first blow to the traditional CIO model. Applications moved out of the corporate network, built atop a third-party compute environment in a cloud service provider’s environment. Agile IT teams shifted, becoming a form of internal professional services, providing white glove support to teams making that transition, and many find themselves now in a “cloud devops” role. In other cases, the engineering teams that owned those applications are (for good or ill) managing their own cloud environments and doing away with IT support altogether.
Cloud-native appears to be the final (for now) step for revenue-generating activities after location-native and internet-native. The SaaS revolution for corporate activities has the potential to be the death blow for the CIO/CISO split. Paper-native became network-native, and now is headed to be SaaS-native: every application in support of core corporate activities, from HR to finance to marketing, is now readily available in the SaaS ecosystem. SaaS is the ultimate in shadow IT: services easily procured by your end users, and deployed in moments, requiring little IT support beyond integration to an identity provider.
SaaS support = security support
Rapid vendor acquisition and migration raises a lot of risks, which is already drawing the CISO’s attention. As most of the traditional IT-based application support activities are handled by SaaS vendors, the primary need for SaaS support is securitysupport – and it’ll be wasteful for companies to have both a CIO and CISO providing that support separately.
We already see this in young startups. You’re most likely to see a director of security handling both IT and security, since solving security issues is seen as the primary driver for custom IT support. As those companies grow, that role is likely to stay together, and there will be only one IT/security C-level executive in the organization. The last bastion of the CIO may be laptop management, but with Apple, Google, and Microsoft providing excellent support, and EDR vendors increasingly taking on administrative tasks, how long will a CIO who doesn’t take on security oversight last?
This piece originally appeared in CSO Online.