More than a CISO: the rise of the dual-titled IT leader

The role of the CISO is expanding and these C-level leaders have been acquiring responsibilities and adding roles beyond their principal function. Dual-title roles such as CISO plus CIO, CTO, VP of engineering, head of product, or head of infrastructure reflect a shift towards broader responsibilities and workplace recognition of the diverse skills of CISOs.

Many of the qualities that make a strong CISO, such as risk management, strategic thinking, leadership, and the ability to align technology initiatives with business goals, are ones that drive positive outcomes in these expanded roles. They leverage the CISO’s expertise in embedding security within business operations and managing complex systems. However, those in these roles say it requires clear ownership of risk, team support, balancing technical and business goals, and mastering a strategic shift in priorities.

A dual title enables strategic integration and alignment

Dual-title roles give CISOs new levers to work with and more scope to drive strategic integration and alignment of cybersecurity within the organization.

Geoff Belknap, CISO and VP of engineering at LinkedIn oversees a team of software engineers responsible for building and maintaining security infrastructure such as identity and access management, gathering logs and conducting analytics, software and other infrastructure as well as the CISO responsibilities.

Belknap was given some advice early on in his career from a seasoned CISO about why it helps to have your own software engineers. It may not have resonated fully in his early days, but it stayed with him and has been borne out over the years. “You learn over time that to really have an impact as a security program leader, you’ve got to build and support your own infrastructure,” Belknap tells CSO.

He’s found it far easier to solve problems when working directly with your own engineering team, whereas if it’s a partner arrangement, these teams naturally have different priorities and metrics to adhere to. “Nobody’s going to innovate the way my teams are going to innovate, because they’re very close to the security problem. But lots of people can build great software, so in my case, it helps to bring both of those together,” he says.

Belknap finds having his own team of engineers puts him in a stronger position when working with partners. When looking for support or assistance with a project, his team will have already built something, reducing the amount of work needed from the partner team. “This means we can lean on them to be responsible for the things that only they can do. I don’t have to pull them into the work that only I can do or the work that’s not aligned to their expertise,” he says.

These dual-title roles also recognize how CISOs are increasingly operating as technology leaders and operators of the organization, according to Adam Ely, head of digital products at Fidelity Investments who was formerly the firm’s CISO and has a long history in security.

Ely says that as CISOs typically work across an organization, know how the business lines work, and are day-to-day leaders of people and technology as well as crisis managers, it stands them in good stead for dual-title or more senior positions. “Many CISOs came through a technology or engineering field and that experience of working with technology and product groups develops a skill set for them to transition to other roles, especially as companies continue investing in technology and digital products,” Ely says.

On the other hand, trends in technology such as cloud computing, DevOps, automation and infrastructure lifecycle management are happening and “we’re seeing the walls between various functions become much fuzzier, and security becoming much more integrated into those processes,” Ely tells CSO.

In his role as CISO, Ely was able to learn the various business lines, build connections and operate across the company. “Moving into the product role, I already had a grand view of how the company operated, what projects were important, what technology was in place, and I had well-established relationships within the company,” he says.

CISOs have a good grasp of the entire business

For Blue Mantis COO Jay Pasteris, who was previously the company’s CISO and CIO, there aren’t many other roles that have the same lateral visibility of the entire organization combined with an understanding of the processes of other departments.

He believes these dual-title roles can provide a more direct reporting line to the CEO or board, which is important for risk reporting. It gives the CISO greater autonomy to report to the board and helps them understand business risk because the CISO is looking across all the different parts of the organization. “It’s not just technology, it’s data, users, customers, and threats. It’s thinking about how to make the business resilient, and the board and the CEO need to have that transparency and the ability to work bilaterally with the CISO,” Pasteris tells CSO.

Holding both roles also helps harmonize the mission of driving business efficiencies while keeping the organization secure, which can sometimes be at odds. Additionally, CISOs understand what the business outcomes need to be and where the business risk is as well. “We have an ability to bring all that together and it becomes really valuable to the organization. That’s why you’re seeing the CISO start to move up to the COO role,” Pasteris tells CSO.

One of the other distinguishing features of the CISO role is that it’s both a provider and consumer of security services, putting it in a somewhat unique position to understand the development pipeline for engineering, the marketing stack, what the sales team is using and so on, says Chad McDonald, COO at Radiant Logic.

Challenges and risks of dual-title roles

While there are plenty of reasons to recommend dual-title CISO roles, it’s not without its challenges. CISOs commonly report being already stretched and the risk is that this just makes things that much harder.

“If you stack responsibilities, it needs to come with resources. You can’t go to a CISO, who’s already spread too thin, and add responsibilities without any additional people or money,” says Belknap.

It can also be tricky to integrate other teams such as engineering or product into the security group when they don’t typically see themselves as part of the security remit. “If you’re using software, audits, infrastructure or any kind of AI to make security better, you’re a security practitioner, even though you might not think about yourself as that at first. They may need to make a shift to realize the goal is building great software that helps to drive improvements in security and helps reduce friction,” Belknap tells CSO. 

Pasteris says it’s important to be careful about taking on too much risk, and although there needs to be an understanding of the regulations and some of the laws, that doesn’t qualify someone to own all risk. “Don’t try to replace legal counsel, don’t try to replace data privacy, don’t try to replace some of those very specific roles that have legal ramifications tied to them.”

Instead, look to adopt strong partnerships in those areas and always have appropriate separation of responsibilities and avoid conflicts within the larger risk management remit. “You don’t want to be the guy deciding about the risks, evaluating the risk and also putting the stamp of approval on the risk,” Pasteris adds.

CISOs who are in a position to enlarge their roles should move slowly and tactically to make the most of the opportunity to strengthen these strategic alliances, according to McDonald, who was Radiant Logic’s CISO and chief of staff before becoming COO. “Be sure there’s a tangent or overlap for the area that you’re onboarding so you don’t lose sight of your primary responsibility as a CISO,” he says.

CISOs also need to avoid taking it all on themselves and make building out operational teams a priority to ensure they can execute against the organization’s strategy. If not, they can struggle to have a critical mass and lack the resources to properly focus. “More often than not, CISOs who’re struggling haven’t really established a strategic function for themselves; they’re still tactical in how they execute or operate,” McDonald says.

There’s also a critical mindset shift needed to adopt more strategic priorities. “As CISOs mature and start learning how to manage risk, they’ve got to lose sight of the fun blinking lights and start looking at the strategic direction of not just the security function, but the organization itself so they’re running in parallel with the organizational goals,” McDonald adds.