The CISO… Who?
24 January 2018 | 10:31 am
I was interviewed for a podcast recently for a new show that is all about the business of information/cyber security, and the hosts asked me what I thought was the number one thing that should change in the industry. My answer had nothing to do with more secure software, better security awareness training, better patching schedules, anti-virus, or bigger security budgets. It had to do with the role of the Chief Information Security Officer (CISO).
Since cybersecurity strategy is one of the hats I wear, this was an easy question to answer. Until the CISO has the same seat at the table with the CEO and the board just like the CIO and CFO do, security within an organization will never be a priority. As I mentioned in my article The Culture of Security, security culture, like all culture, lives or dies from the top down.
Most people I talk to outside the security industry have never heard of a CISO, but they can tell me what the CEO, CFO, COO, and CIO are. When I tell people that I am a virtual CISO, I often get blank stares or the question about what’s a CISO. What this tells me is that security is still taking back stage in the landscape of business strategy and priority.
I talk to a lot of CISOs and hear their stories, more often than not they tell me they report to the CIO, and that rarely if ever do they get in front of the board. When the CISO does not actually sit at the table with the decision makers, whether that’s the CEO and CFO or the board and their message is filtered through another level or two before ever getting to the decision makers, the importance and context of their message gets lost. Moreover, if those decision makers have questions, there is no one at the table to answer them.
When the CISO reports to the CIO, which is the most common reporting structure there is a real issue that needs to be discussed. The CIO and CISO have different priorities and even conflicting priorities. The CIO is responsible for making data and assets available to support business functions. Funding is generally tied to performance of those assets in support of business needs. Conversely, the CISO is responsible for managing business risk, risk that extends to all responsibilities of business and not just technology. The CISO may also recommend a level of protection for data and technology in such a way that negatively impacts the performance of those assets, a metric that is very important to the CIO. Reporting to the CIO will mean security decisions align with the protection of information assets versus protection of the business and only to the degree that does not too badly impact the numbers the CIO is responsible for.
I’ve also seen where the CISO reports to the CIO who reports to the CFO, which has an even bigger impact on their contact with the board. Now the CISO is two layers removed from the top decision makers and strategists, and the person responsible for reporting the information is someone who does not have the background to properly communicate the message or answer important questions. The CFO is interested in budgets and return on investment, which is hard to see with security. The work of the security professional is often invisible and is very hard to prove ROI when the result of doing a good job, having the right people, and the right tools is no breach or no loss of data. It is very hard to tie the effect of no breach to the cause of a good security department.
Here are my recommendations for leaders who don’t want their brand on the front page of the paper because of a breach or security issue:
If you are the CEO or sit on the board of an organization and you believe that security is a priority, ensure your CISO reports to you or another independent executive that is looking at the organization as a whole. For example the Chief Operating Officer, Chief Risk Officer, or General Counsel could be good for reporting structure as long as the CISO has the opportunity to directly brief the board at least quarterly.
If you are the CIO and you have a CISO reporting to you and you believe your organization should take security more seriously, talk to your CEO about moving the CISO out of your reporting chain. Even if you can be unbiased, It’s the right thing to do for your organization.
If you are a CISO or aspiring CISO for your organization, and you report to anyone other than the COO, General Counsel, Chief Risk Officer, or CEO, I would consider having this conversation with the executive team as a whole. Not because you don’t trust your CIO or whomever you report to, but because security is a real current threat and they hired you to help create the strategy to stay secure. You can’t provide real time direction if you are not riding in the same car as everyone else.
If you are looking to take a job as a CISO for a new organization, when you negotiate terms for the position, ensure that you report to the CEO, COO, or General Council. If they say no, it’s a sign that they might not take security as seriously as you want them to, and you might not be happy working there for long.
If security was just a simple part of an IT organization, it would make sense for a security executive to report to the CIO, and they wouldn’t need the “chief” in their title. However since every part of the organization is reliant on security, and not just within IT, it is incredibly important for the CISO to sit outside of IT where they can have a view of and help the organization at large.
The intent is for the CISO to have an unbiased chain of command and access to brief the decision makers and an opportunity to answer their questions. If security is important to your organization this one change could be a real lasting impact that you are looking for.
If you have questions or want to discuss the challenges of the CISO, email email@example.com. If you don’t have a CISO, but want more information on how Virtual CISO services work, which are designed to help small and medium size organizations maintain their security posture reach out so we can talk in more detail.