Why Cybersecurity Roles Should Sit Within IT Teams (Including the CISO?)
I’ve seen this happen too many times in too many organizations: cybersecurity is treated like a separate island, called in at the end of a project, after key IT decisions have already been made. Then we wonder why controls don’t fit, why risk wasn’t managed properly, or why delivery is delayed because something critical got missed. In reality, if we want to build secure, resilient systems, cybersecurity roles need to be embedded directly in IT teams, not just technically, but culturally.
And this goes all the way up to the CISO.
Security has to start early not after the fact
Security doesn’t work well when it’s just reviewing things from the outside. I’ve learned that the most effective security happens when it's present right from the beginning: in solution design meetings, sprint planning sessions, architecture reviews, you name it. When security people are part of those conversations early, risks are addressed before they become costly problems. You get security by design, not just security by audit.
This doesn’t mean just tossing a “security person” into an IT team and calling it a day. It means building a habit of collaboration where cybersecurity roles, engineers, architects, analysts are treated as core members of the delivery team, just like developers or sysadmins.
Context matters more than policy
One thing I always stress is that context is everything. When security people are embedded within IT, they understand how systems actually work, not just in theory, but in production. They know the dependencies, the constraints, and the business drivers behind decisions. That means they can give advice that’s relevant, not generic.
You can’t protect what you don’t understand. And you can’t influence what you’re not close to. By sitting inside IT, security professionals can design better controls, automate more effectively, and support teams in a way that actually helps rather than hinders.
Automation happens faster when security is in the room
Let’s be honest, security doesn’t scale with manual work! We need automation everywhere: in CI/CD, in identity and access provisioning, in compliance checks. But you can’t automate what you don’t help build.
When security engineers are part of cloud, DevOps, or infrastructure teams, they can directly contribute to scripts, templates, and pipelines. That’s when you start seeing things like real-time drift detection, policy-as-code, or automated remediation. And when you build that capability in-house, you also avoid the extra cost and dependency of relying on vendors to build things for you.
Collaboration builds a culture of shared responsibility
One big benefit of embedding cybersecurity roles in IT is that it changes the mindset. When security is “someone else’s job,” it’s easy to ignore. But when the security person is sitting next to you, and joining your meetings, working on your backlog then it becomes everyone’s concern.
I’ve seen developers who didn’t care about secure coding become more engaged once they had a supportive security colleague embedded in their team. I’ve also seen IT engineers become security champions after working side by side with someone who spoke their language and understood their challenges. That kind of collaboration changes how people think and that’s where real cultural shifts happen.
The CISO needs to be part of the IT strategy, not outside it
Now, let’s talk about the CISO. I’ve worked in and around environments where the CISO is kept at a distance reporting into legal or risk, mostly doing compliance. And that’s a problem. I am not saying that CISO needs to report to the CTO or CIO (although it can be the case). At some point, the CISO need to have a business acumen as well.
However, if your CISO isn’t involved in your IT strategy, cloud transformation, SaaS adoption, legacy upgrades, then you’re making decisions without a full view of the risk. The CISO needs to be at the same table as the CIO, the CTO, and enterprise architects. Because you can’t separate security strategy from technology strategy anymore. They’re deeply intertwined.
When the CISO is aligned with IT leadership, you get smarter prioritization of risks, better investment decisions, and security programs that actually support the business, not just slow it down.
Real metrics come from working together
I’m a big believer in tracking the right metrics—but those metrics only mean something if IT and security work together. Patch timelines, privileged account usage, cloud misconfigurations, and shadow IT. All of these indicators tell you something only if the teams own them together.
When security is embedded in IT, those metrics become shared goals, not just numbers on a dashboard. That’s when they start driving actual improvements.
Bottom line: security has to live inside IT
Security can’t afford to be a “review board” anymore. It needs to be right in the trenches, designing, building, and deploying alongside IT. That’s how you create systems that are secure by default. That’s how you respond faster to incidents. That’s how you build trust across teams.
Embedding cybersecurity roles in IT isn’t just a tactical decision but it’s a strategic one. It changes how security is perceived, how risk is managed, and how resilient your organization really is.
And if we’re serious about building digital trust, then security has to stop being the outsider. It has to be in the room, every time.
Comments
Post a Comment