April 26, 2017 By George Moraetes 3 min read

For many, the most common reporting structure in today’s business environment is overly complicated. The majority of security leaders around the world report directly to the chief information officer (CIO), which can cause an enormous amount of conflict. That reporting structure, however, is slowly changing for some companies. In those organizations, the chief information security officer (CISO) might report to the CEO, chief operating officer (COO), chief financial officer (CFO) or legal counsel. Still, the security industry has a long way to go to convince corporate boards and government leaders of the conflicting issues at hand.

Breaking Down the CISO-CIO Conflict

In most organizations, the CISO and CIO have totally different mindsets when it comes to IT operations. The CIO is focused on keeping things running. Moreover, when it comes to new technology acquisitions, the CIO is primarily concerned with return on investment (ROI).

The CISO, on the other hand, is focused on using security tools to reduce risk, which can be measured as return on risk (ROR). The rub is that risk reduction always takes a back seat to operations, and that gap is constantly increasing. As the two executives evolve in their respective specializations, the gap grows and ultimately leads to both disciplines becoming separate roles.

A structure that requires the security leader to report to the CIO can also create a power struggle. The importance of security often gets lost in the maelstrom of office politics and tight budgets, which can potentially lead to an adversarial relationship between the two IT executives. When a security breach occurs in this kind of environment, the CISO is often scapegoated, even if the incident is a consequence of the CIO’s decisions.

IT Roles Shifting in Government Agencies

In an August 2016 congressional report, the U.S. Government Accountability Office (GAO) detailed the concerns and outlined the authority of the security executive within federal agencies as defined under the Federal Information Security Modernization Act of 2014 (FISMA 2014). The report addressed the reporting hierarchy within government agencies and questioned their ability to deliver on their responsibilities. Moreover, security leaders reported challenges to their authority as a result of competing priorities between operations and security, such as:

  • Insufficient staff and inadequate budget to achieve compliance with many mandated security controls;
  • Inability to offer salaries that are competitive with the private sector for candidates with skills in high demand;
  • Lack of appropriate training opportunities in highly technical roles to ensure proper risk evaluation and support security infrastructure; and
  • Budgetary conflicts between security and operations executives that result in organizational failure to address security needs.

A congressional house bill, the HHS Data Protection Act, was a direct result of an investigative finding that originated from a series of current and previous network breaches against the Food and Drug Administration (FDA) and the Department of Health and Human Services (HHS). It revealed that the incidents were partly due to organizational structures that imperiled security to favor operations. The report advised the HHS to separate the IT executives, and the legislative bill will do exactly that.

Additionally, some private sector organizations have separated security from the CIO. Several of the “Big Four” consulting firms are actively advocating for this structural change.

A Healthy Rivalry

It is important to understand that the relationship between the CISO and CIO will always be somewhat adversarial, and that’s OK. A healthy rivalry is a good way to ensure checks and balances within the organization, which is one of the fundamental reasons why the security leader should never report to the CIO, but rather engage in a partnership.

Both positions have too much on their plates to begin with, so it makes sense to work in tandem. Both are responsible for leadership and vision where IT and security implementations are concerned. Both have critical roles to drive the business forward, and the CISO needs to provide insight and guidance to ensure that the security strategy is sound.

Information security leadership is beginning to gain board seats, building consensus to provide a security strategy that enables the business to move forward. What was once solely the CIO’s responsibility has now become a part of the security leader’s daily workload. It is important to set attainable metrics for business success to convey actions to the board, and for both executives work together to ensure that operations are conducted securely.

Listen to the podcast: If You Can’t Measure It, You Can’t Manage It

Building Trust

Trust is a key ingredient here because it affects the CIO-CISO partnership as well as the executives’ shared effort to unite all departments under a single security umbrella. It is a challenge to build that trust; both executives must be solid communicators who are able to evade conflicting tensions.

These two roles are interdependent, since the CIO relies upon the CISO for advice, guidance and risk evaluation while the CISO depends on the CIO for support and infrastructure resources. They must work together with a holistic, integrated approach that empowers every business department within the organization with a clear vision. Together, they must build trust, formulate priorities and execute them.

Information security is no longer an IT support issue, but a strategic business responsibility. Both IT executives must share common goals for security and IT operations to be successful.

More from CISO

Overheard at RSA Conference 2024: Top trends cybersecurity experts are talking about

4 min read - At a brunch roundtable, one of the many informal events held during the RSA Conference 2024 (RSAC), the conversation turned to the most popular trends and themes at this year’s events. There was no disagreement in what people presenting sessions or companies on the Expo show floor were talking about: RSAC 2024 is all about artificial intelligence (or as one CISO said, “It’s not RSAC; it’s RSAI”). The chatter around AI shouldn’t have been a surprise to anyone who attended…

Why security orchestration, automation and response (SOAR) is fundamental to a security platform

3 min read - Security teams today are facing increased challenges due to the remote and hybrid workforce expansion in the wake of COVID-19. Teams that were already struggling with too many tools and too much data are finding it even more difficult to collaborate and communicate as employees have moved to a virtual security operations center (SOC) model while addressing an increasing number of threats.  Disconnected teams accelerate the need for an open and connected platform approach to security . Adopting this type of…

The evolution of a CISO: How the role has changed

3 min read - In many organizations, the Chief Information Security Officer (CISO) focuses mainly — and sometimes exclusively — on cybersecurity. However, with today’s sophisticated threats and evolving threat landscape, businesses are shifting many roles’ responsibilities, and expanding the CISO’s role is at the forefront of those changes. According to Gartner, regulatory pressure and attack surface expansion will result in 45% of CISOs’ remits expanding beyond cybersecurity by 2027.With the scope of a CISO’s responsibilities changing so quickly, how will the role adapt…

Topic updates

Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today