For many, the most common reporting structure in today’s business environment is overly complicated. The majority of security leaders around the world report directly to the chief information officer (CIO), which can cause an enormous amount of conflict. That reporting structure, however, is slowly changing for some companies. In those organizations, the chief information security officer (CISO) might report to the CEO, chief operating officer (COO), chief financial officer (CFO) or legal counsel. Still, the security industry has a long way to go to convince corporate boards and government leaders of the conflicting issues at hand.
Breaking Down the CISO-CIO Conflict
In most organizations, the CISO and CIO have totally different mindsets when it comes to IT operations. The CIO is focused on keeping things running. Moreover, when it comes to new technology acquisitions, the CIO is primarily concerned with return on investment (ROI).
The CISO, on the other hand, is focused on using security tools to reduce risk, which can be measured as return on risk (ROR). The rub is that risk reduction always takes a back seat to operations, and that gap is constantly increasing. As the two executives evolve in their respective specializations, the gap grows and ultimately leads to both disciplines becoming separate roles.
A structure that requires the security leader to report to the CIO can also create a power struggle. The importance of security often gets lost in the maelstrom of office politics and tight budgets, which can potentially lead to an adversarial relationship between the two IT executives. When a security breach occurs in this kind of environment, the CISO is often scapegoated, even if the incident is a consequence of the CIO’s decisions.
IT Roles Shifting in Government Agencies
In an August 2016 congressional report, the U.S. Government Accountability Office (GAO) detailed the concerns and outlined the authority of the security executive within federal agencies as defined under the Federal Information Security Modernization Act of 2014 (FISMA 2014). The report addressed the reporting hierarchy within government agencies and questioned their ability to deliver on their responsibilities. Moreover, security leaders reported challenges to their authority as a result of competing priorities between operations and security, such as:
- Insufficient staff and inadequate budget to achieve compliance with many mandated security controls;
- Inability to offer salaries that are competitive with the private sector for candidates with skills in high demand;
- Lack of appropriate training opportunities in highly technical roles to ensure proper risk evaluation and support security infrastructure; and
- Budgetary conflicts between security and operations executives that result in organizational failure to address security needs.
A congressional house bill, the HHS Data Protection Act, was a direct result of an investigative finding that originated from a series of current and previous network breaches against the Food and Drug Administration (FDA) and the Department of Health and Human Services (HHS). It revealed that the incidents were partly due to organizational structures that imperiled security to favor operations. The report advised the HHS to separate the IT executives, and the legislative bill will do exactly that.
Additionally, some private sector organizations have separated security from the CIO. Several of the “Big Four” consulting firms are actively advocating for this structural change.
A Healthy Rivalry
It is important to understand that the relationship between the CISO and CIO will always be somewhat adversarial, and that’s OK. A healthy rivalry is a good way to ensure checks and balances within the organization, which is one of the fundamental reasons why the security leader should never report to the CIO, but rather engage in a partnership.
Both positions have too much on their plates to begin with, so it makes sense to work in tandem. Both are responsible for leadership and vision where IT and security implementations are concerned. Both have critical roles to drive the business forward, and the CISO needs to provide insight and guidance to ensure that the security strategy is sound.
Information security leadership is beginning to gain board seats, building consensus to provide a security strategy that enables the business to move forward. What was once solely the CIO’s responsibility has now become a part of the security leader’s daily workload. It is important to set attainable metrics for business success to convey actions to the board, and for both executives work together to ensure that operations are conducted securely.
Listen to the podcast: If You Can’t Measure It, You Can’t Manage It
Building Trust
Trust is a key ingredient here because it affects the CIO-CISO partnership as well as the executives’ shared effort to unite all departments under a single security umbrella. It is a challenge to build that trust; both executives must be solid communicators who are able to evade conflicting tensions.
These two roles are interdependent, since the CIO relies upon the CISO for advice, guidance and risk evaluation while the CISO depends on the CIO for support and infrastructure resources. They must work together with a holistic, integrated approach that empowers every business department within the organization with a clear vision. Together, they must build trust, formulate priorities and execute them.
Information security is no longer an IT support issue, but a strategic business responsibility. Both IT executives must share common goals for security and IT operations to be successful.
Chief Information Security Architect, Securityminders