In the old days of the Internet, or about four years ago, the CISO (or whoever handled information security) nearly always reported directly to the CIO. The CIO listened to their expert advice and decided when and where to use it.
Then this happened:
Probably best to stop there before this entire post becomes little more than a list of highly publicized security breaches. It goes without saying (even though I’m going to say it anyway) that these breaches caused incredible damage to the targeted companies both in terms of actual customer impact and public relations. The New York Times alone wrote dozens of articles about just the four examples noted above, keeping this continually on the radar of people who no company wants to have worried about data security: customers.
In the months following their breach, Target hired their first CISO and had him report directly to their new CIO (the pre-breach CIO was no longer with the company). Immediately following this hire, Jonathan Feldman, CIO of the City of Asheville and an InformationWeek columnist, said this: “The big question here is how both the CIO and CISO will balance overreaction versus under-reaction.”
Four years later, figuring that out at any company is still the real trick isn’t it? How does an organization balance the CIO’s need to continually scale and manage the company’s infrastructure and keep the business running against the CISO’s need to lock everything down and ensure company data is never compromised? Who should have the final say on how infrastructure is managed to ensure security?
A CISO’s answer to that last question is likely to be, “Easy! I should.”
A CIO’s likely answer to the same: “Agreed, it is easy. I should.”
Organizations that place the CISO under the CIO (this includes the US Government as federal law requires the CISO report to the CIO within the government) would appear to agree with the CIO’s assessment. Is this the correct approach though?
The CIO and CISO have different goals and are measured on whether or not they accomplish those differing goals. Though they may often be on the same page, they are going to disagree on occasion and tensions will sometimes flare. Should the CIO have the final say when that happens?
If a CISO reports directly to the CIO then they might argue that their advice is only being taken whenever and wherever it doesn’t directly contradict whatever the CIO already wants to do. While their CIOs would likely reply that they deviate from the CISO’s recommendations only when those recommendations would unnecessarily hamper performance and growth. They could both easily be right, but according to PwC’s yearly Global State of Information Security report from 2014, there are two fairly notable issues when the CISO reports to a CIO:
This suggests that an organization is better off from a security perspective when the CISO does not report directly to the CIO. Yet according to a recent survey from K-Logix, more than half of all CISOs do exactly that, with just 15 percent reporting to the CEO, and the rest reporting to either the COO or risk-related departments within the org.
This doesn’t mean the CISO can’t be effective when answering to the CIO, just that the natural tension that exists between their roles is less likely to surface when it’s contained within the IT structure. If the CEO and Board aren’t aware when the CIO and CISO disagree, it’s then all on the CIO to determine which path to take between their differing viewpoints. Unless that CIO is Mr. Rogers, there’s an excellent chance they’ll have a real tendency to go with their own vision.
Which isn’t to say that vision can’t be fantastic, but there’s organizational value in making sure disagreements between the CISO and CIO are always visible. That way the business can fully consider the possible approaches to take and find the right balance between the two to ensure high performance is backed by strong security.