Cybersecurity plays a critical role in enterprises today. It has evolved from playing a fringe role to one that impacts every person in every business developed over the past 15 years. This shift will continue as we see not only more frequent attacks but also more devastating effects from cyber breaches.

A critical change in how organizations treat cybersecurity revolves around the reporting structure for chief information security officers (CISOs). One reason that there are more frequent and more severe breaches relates to CISOs not having a proper “seat at the table” with the executive team.

Where Should the CISO Fit in the C-Suite?

For more accountability, a CISO should report to the chief executive officer (CEO) or another C-suite executive who is not the chief information officer (CIO). Creating strong integration and interaction between the CISO and the rest of the C-suite creates enhanced resilience and protection for organizations.

Historically, information security professional roles developed out of the information technology (IT) discipline. Firewalls were one of the initial critical security devices, and the networking teams were responsible for these systems. Next came intrusion detection and prevention systems. More components developed out of networking and IT, such as proxy servers, email protection, identity and access management and so on.

With IT leading the way for information security, it made sense that the senior security professional came from the IT department. We are at a crossroads today where we need to move security out from under IT and treat it as a business risk rather than a technical problem.

Information security is a business risk, not simply a technical risk. According to the IBM Cost of a Data Breach study, it takes an average of 287 days to identify and contain a data breach. This number illustrates how vulnerable businesses are. Elevating CISOs to the C-suite grants them the necessary visibility to tackle this substantial problem.

Data breaches can have public relations, human resources and legal implications. Individuals responsible for securing these environments must have knowledge of, and access to, staff that owns these responsibilities. A security manager in an IT department has neither. Organizations will continue to suffer data breaches (and struggle to address them quickly) as long as they treat information security as an IT problem.

Conflicts of Interest Between CISOs and CIOs

A very common complaint I hear from CISOs is that they do not receive the resources they need to secure their enterprises. While some companies understand how and where the CISO fits into the leadership structure, the majority do not. One individual that works for a local government told me he took a position as a CIO rather than a CISO because he “knew the CISO role was that of a fall guy.” He believes he was only offered the CISO position because the CIO wanted someone to blame if things went badly. This example clearly shows the conflict of interest that exists when a CISO reports to a CIO.

One CISO working in the industrial market told me that there’s an “inherent tension between me and others that report to the CIO.” This frequently occurs due to the trade-off between security and efficiency, which impacts business units throughout an enterprise. When manufacturing wants to continue running a legacy system with outdated software and the CISO says no, this impacts revenue. When the CIO manages both the security team and the team that manages revenue-generating systems, that individual might make a decision that is not in the best interest of the organization as a whole.

A CISO in the financial services market bluntly told me: “Yes, it is a conflict of interest reporting to the CIO.” The CIO at this firm would withhold information from the rest of the C-suite when he felt it would reflect negatively on him or his IT teams. But this same CIO had no problem blaming the CISO when there were impacts to productivity from security measures or conflicts between security and other IT departments. While individuals handle communication and decision-making differently, there can be no doubt that when security reports up through the IT organization, serious conflicts of interest are likely to occur.

Organizations Must Change

A CIO incentivized by short-term productivity is likely to make poor security decisions. When the CIO has incentives tied to output, security often takes a backseat. This puts the CISO, and the organization as a whole, in jeopardy. The CISO who reports to the CIO has no control over decisions that impact security risk. Having a CISO as a peer to the CIO alleviates this conflict of interest. It also holds true to the original meaning of “C-level” leadership, creating an executive team that advocates for the different priorities and policies that keep a business on the right track.

IT has shifted tectonically over the past 30 years, and information security has become a discipline in its own right in the past 10 years. We are now at a crossroads which requires recognizing that CISOs should come from outside the IT organization. Too many bad decisions have been made due to the conflict of interest between security and IT leadership.

As Marc Crudgington asserts in The Coming Cyber War, “Cyber Security is an enterprise-wide risk management issue — there is no backing away anytime soon from this reality.” Moving the CISO into alignment with the rest of the C-suite allows business risk drivers to inform security decisions. Providing CISOs with proper authority and alignment with other C-suite executives empowers organizations and enhances cybersecurity resilience.

More from CISO

How Do You Plan to Celebrate National Computer Security Day?

In October 2022, the world marked the 19th Cybersecurity Awareness Month. October might be over, but employers can still talk about awareness of digital threats. We all have another chance before then: National Computer Security Day. The History of National Computer Security Day The origins of National Computer Security Day trace back to 1988 and the Washington, D.C. chapter of the Association for Computing Machinery’s Special Interest Group on Security, Audit and Control. As noted by National Today, those in…

Emotional Blowback: Dealing With Post-Incident Stress

Cyberattacks are on the rise as adversaries find new ways of creating chaos and increasing profits. Attacks evolve constantly and often involve real-world consequences. The growing criminal Software-as-a-Service enterprise puts ready-made tools in the hands of threat actors who can use them against the software supply chain and other critical systems. And then there's the threat of nation-state attacks, with major incidents reported every month and no sign of them slowing. Amidst these growing concerns, cybersecurity professionals continue to report…

Moving at the Speed of Business — Challenging Our Assumptions About Cybersecurity

The traditional narrative for cybersecurity has been about limited visibility and operational constraints — not business opportunities. These conversations are grounded in various assumptions, such as limited budgets, scarce resources, skills being at a premium, the attack surface growing, and increased complexity. For years, conventional thinking has been that cybersecurity costs a lot, takes a long time, and is more of a cost center than an enabler of growth. In our upcoming paper, Prosper in the Cyber Economy, published by…

Reporting Healthcare Cyber Incidents Under New CIRCIA Rules

Numerous high-profile cybersecurity events in recent years, such as the Colonial Pipeline and SolarWinds attacks, spurred the US government to implement new legislation. In response to the growing threat, President Biden signed the Cyber Incident Reporting for Critical Infrastructure Act of 2022 (CIRCIA) in March 2022.While the law has passed, many healthcare organizations remain uncertain about how it will directly affect them. If your organization has questions about what steps to take and what the law means for your processes,…