The Rise of the CISIPO: The Chief Information Security Investment Portfolio Officer

Do I really think that you need a Chief Information Security Investment Portfolio Officer (CISIPO) in your company as a W2 position?

Not necessarily, however, I do feel that the CIO needs to think like one….

Anyone with a brain in the CISO and CIO role can convince their employers to spend money when times are good. Between the fear of auditors and the fear in the market place this is easy.

However, I believe that long-term career stability will be obtained by those of us who say ‘no’ to IT Security spending and ‘yes’ to IT Security investments.

Someone has to interpret the left and make sense of the right. Far too many CIOs and CISOs are being coerced into spending that makes no sense at all.

Passing a compliance audit does not make you secure. This is a very important distinction to make with the board. I think most get it, but a lot don’t. Board of Directors (BoD) naturally has a default way of thinking,

“I have a government auditor or internal auditor here. If I get ‘dinged’ in a certain area, then I am wrong and they are right.”

This is wrong.

You have to build a defensible argument. It should be based on a Socratic method of analysis.

Do you have the chops and the tools to sit in the middle and make tough calls?

I believe with rising complexity and pressure on the right and left that once fear settles down, we are going to see the business asking for someone to really examine what is an appropriate investment to be made for a company of your size?

In my experience, I don’t often see an egregious lack of investment in IT and IT Security. What I experience frequently is confused spending. The ceiling of complexity is high enough now that you are spending on tools that are overlapping in functionality with one another. I see confusion with fundamentals which creates for a noisy environment. It is hard for your IT Security monitoring tools to work when an environment is confusing or too complex.

Have you really optimized all capabilities of existing investments of IT Security?

Are you just taking an audit finding as gospel truth?

Are you refuting some findings, spending money to solve problems?

That could be solved with fully deploying what you already own.

There are ways this can be done so that it does not become a burden for you as the analysis of this is not easy for small to medium businesses.

There is hope in you becoming a CISIPO.

Determine if this approach is for you. Some of you prefer the left because you like spending your time on the analysis and auditing side of the fence. However, some of you prefer implementing and doing. If this is the case, you will find yourself on the right.

What I am suggesting to you to consider is being the person in the gap who compares both sides in order to counsel the business.

What are your thoughts?