Very few chief information security officers have risen to the ranks of chief information officers. On the one hand, it would seem like a logical progression. CISOs historically have reported to CIOs. The importance of their roles has grown tremendously as the threat landscape has done the same. Also, as security has risen to a board-level concern, CISOs are often asked to speak before the executive team and board, underscoring the importance of the discipline, while also raising the profile of the executive.
So why has this not been a greater pathway? First, as CIOs must focus increasingly on innovation, which is about risk taking, CISOs manage or mitigate risk. That is not to say that there is not profound innovation that CISOs can undertake on behalf of their companies, but this focus has been a limiting factor to these executives’ rise, nevertheless. Additionally, security roles can be siloed relative to other roles in information technology, and the lack of leadership roles across IT can be viewed as another limiting factor.