A LinkedIn post by Nikoloz Kokhreidze caught my attention because it dove into the organizational structure of Microsoft’s CISO office. Nika led off with:
Microsoft just fractured the CISO role into 14 pieces, because “the modern CISO job is no longer humanly possible.”
My initial reaction garnered more reactions and views (32,831) than any comment I have ever made.
Microsoft hired Igor Tsyganskiy as Global CISO in 2023. He went on to reorganize the security function at Microsoft, adding 14 Deputy CISOs. I looked into it hoping that this move could guide other CISOs only to find that it was just a typical large enterprise division of responsibility by business unit. Nothing to see here. Microsoft just created a hierarchy of dCISOs, one for each business unit. This is what most organizations do. You can see ads for bCISOs which stands for Business Unit CISO, usually reporting to a Global CISO. I am pretty sure that Roman Legions were organized the same way. It took 1,500 years for Napoleon to innovate the general staff concept.
All of which gives rise to the questions: How should a security team be organized?
Organizing by BU is one way, but is there a better way?
Say you are not Microsoft, which we cannot forget is a vendor. They are not representative of Big Banks, Big Oil, or Big Pharma.
One strategy is to organize by mission. To keep it simple, I propose that mission is to fight and win an ongoing battle with attackers. That leads me to thinking in military terms. In other words by function and tools. Like army, navy, air force, and space.
Here are my proposed 14 domains for security organizations.
Intelligence and Detection Engineering
Identity
Hygiene
Endpoint
Network
Infrastructure
Application and Product
AI and Data
GRC
Incident Response
Security Architecture and Engineering
Supply chain
OT/IoT
Operations (SOC)
What would you add to this list? Would you take anything away?