Ross Haleliuk identifies a structural tectonic shift in enterprise technology that most observers are missing: the Chief Information Security Officer is no longer just a gatekeeper, but is increasingly becoming the architect of the very infrastructure they once merely audited. This is not a story about personality clashes in the C-suite, but a pragmatic response to the fact that the artificial line between "building systems" and "securing them" has collapsed under the weight of modern complexity. For leaders who cannot afford to wait for security to be bolted on after the fact, Haleliuk's analysis offers a clear roadmap of why the old reporting lines are failing and why the convergence of operations and security is becoming an inevitability.
The Failure of the Old Hierarchy
Haleliuk begins by dismantling the historical norm where security sits as a subordinate function under the Chief Information Officer. He notes that while the title "CISO" has existed since Steve Katz took the role at Citicorp in 1994, the structural reality has rarely matched the executive status. "Most CISOs had pretty limited control over infrastructure," Haleliuk writes, "and when security needed something implemented, it still had to align with IT and engineering to actually get it done, and that didn't always go well." This observation is critical because it highlights a fundamental flaw in the traditional model: accountability without authority. When the person responsible for risk reports to the person responsible for uptime and speed, security inevitably loses the political capital needed to enforce necessary controls.
The author argues that this hierarchy creates a scenario where "it's harder for CISOs to push the CIO to prioritize some work when the CIO is their boss." This is a blunt, necessary truth that many organizations ignore until a breach occurs. The old model treated security as a separate discipline that reviewed decisions made elsewhere, often leading to a dynamic where "when a security person would show up at your desk, you knew you had done something wrong." While this reactive posture served a purpose in the early days of digitization, Haleliuk contends it is no longer sufficient for the scale of modern threats.
Critics might argue that merging these functions creates a dangerous concentration of power, potentially stifling the innovation that comes from distinct teams challenging one another. However, Haleliuk's framing suggests that the current separation is already a failure of checks and balances, where the team with the most to lose (security) has the least power to prevent the disaster.
From Reviewing to Guiding
The piece traces a clear evolution in how security teams interact with technology. We have moved from a hands-on era of configuring firewalls to a middle period of auditing configurations, and now to a new phase. "Security has evolved into what I would define as a guiding function," Haleliuk explains, where the focus is on "defining the policies and risk boundaries that establish how infrastructure gets designed and operated from day one." This shift is significant because it moves the conversation from fixing individual issues to designing systems where those issues cannot exist in the first place.
This approach aligns with the broader industry move toward "shift left" security, but Haleliuk pushes it further by suggesting that guidance is still not enough. He points out that even when security sets the guardrails, they remain dependent on other teams to implement them. "Security is still often treated as something adjacent to day-to-day operations," he writes, meaning that security isn't truly baked into the provisioning process. The result is a persistent friction where infrastructure teams are measured on uptime and cost, while security is measured on risk reduction, creating competing priorities that slow down the entire organization.
The biggest challenge is that in this model, CISOs end up with accountability without control: they are ultimately responsible for risk, but since infra is owned by someone else, they are still one step removed from the systems that create that risk.
This quote encapsulates the central tension of the modern enterprise. Haleliuk argues that the only way to resolve this is to stop treating infrastructure as a separate domain. "In today's environments, every infrastructure decision is a security decision," he asserts, listing how services connect, how identities are granted access, and how traffic flows as examples where the distinction is artificial. By bringing infrastructure under the security umbrella, organizations can align incentives, ensuring that the team defining the risk is the same team responsible for building the system.
The New Reality for Leaders and Builders
The implications of this shift extend beyond internal organizational charts; they fundamentally alter the market for security tools. Haleliuk notes that historically, vendors targeted a single team because cross-departmental sales were too difficult. However, as the lines blur, "it's becoming harder and harder to sell products that have no operational value beyond helping organizations reduce risk." The new generation of security leaders is described as being "more comfortable operating closer to infrastructure, thinking in terms of systems, reliability, and performance, not just controls and policy."
This is a call to action for founders and investors. The market is moving toward solutions that sit at the intersection of security and infrastructure, with startups like Vivid Security and Gambit Security already building on this convergence. Haleliuk predicts that "new-generation security startups do more than just security," offering operational efficiency alongside risk reduction. This is a pragmatic evolution driven by the reality that "more CISOs are pushing toward owning infrastructure (not because they want to, but because increasingly, they have to)."
A counterargument worth considering is whether CISOs possess the operational expertise to run complex infrastructure teams without sacrificing their primary security mandate. Haleliuk acknowledges that "not every security leader has the ambition, skillset, or desire to run infrastructure," suggesting this model may not be universal. Yet, for high-scale enterprises where the attack surface is vast, the separation of duties may be a luxury they can no longer afford.
Bottom Line
Ross Haleliuk's argument is a compelling diagnosis of a structural failure in modern enterprise governance: the separation of security and infrastructure is an artificial construct that creates dangerous gaps in accountability. The strongest part of this piece is its refusal to treat this as a personnel issue, instead framing it as an inevitable convergence of function driven by the complexity of modern systems. The biggest vulnerability lies in the execution—transferring infrastructure ownership to security requires a new breed of leader with dual expertise, and the industry is not yet fully ready for that transition. Leaders should watch for which organizations successfully make this pivot first, as they will likely set the new standard for resilience in the coming decade.