I find myself very interested in this discussion, I lean towards security not needing a CXO position at all, and instead companies should probably be creating a risk CXO position and the seniormost security person is an engineer, but reporting to them. Anyone who spends the time communicating to, and building relationships with the MBAs in the C-Suite, is going to have to spend a lot of time massaging risk into numbers, and is essentially more of an actuarial professional and community builder. Doing that and understanding the technical solutions to problems as things change is a high bar. A CISO is a role of communication, while a VP of security engineering (even an EVP, but not CSuite) can spend his time leading down, and learning new technologies. Anytime you put someone into a physical c-suite, they are going to have a lot less integration with the team they are leading. I think we as a community have gotten very wrapped around titles but here I think the CXO is hurting us more than helping.
I find myself very interested in this discussion, I lean towards security not needing a CXO position at all, and instead companies should probably be creating a risk CXO position and the seniormost security person is an engineer, but reporting to them. Anyone who spends the time communicating to, and building relationships with the MBAs in the C-Suite, is going to have to spend a lot of time massaging risk into numbers, and is essentially more of an actuarial professional and community builder. Doing that and understanding the technical solutions to problems as things change is a high bar. A CISO is a role of communication, while a VP of security engineering (even an EVP, but not CSuite) can spend his time leading down, and learning new technologies. Anytime you put someone into a physical c-suite, they are going to have a lot less integration with the team they are leading. I think we as a community have gotten very wrapped around titles but here I think the CXO is hurting us more than helping.