December 21, 2021 By Security Intelligence Staff 4 min read

Cybersecurity plays a critical role in enterprises today. It has evolved from playing a fringe role to one that impacts every person in every business developed over the past 15 years. This shift will continue as we see not only more frequent attacks but also more devastating effects from cyber breaches.

A critical change in how organizations treat cybersecurity revolves around the reporting structure for chief information security officers (CISOs). One reason that there are more frequent and more severe breaches relates to CISOs not having a proper “seat at the table” with the executive team.

Where Should the CISO Fit in the C-Suite?

For more accountability, a CISO should report to the chief executive officer (CEO) or another C-suite executive who is not the chief information officer (CIO). Creating strong integration and interaction between the CISO and the rest of the C-suite creates enhanced resilience and protection for organizations.

Historically, information security professional roles developed out of the information technology (IT) discipline. Firewalls were one of the initial critical security devices, and the networking teams were responsible for these systems. Next came intrusion detection and prevention systems. More components developed out of networking and IT, such as proxy servers, email protection, identity and access management and so on.

With IT leading the way for information security, it made sense that the senior security professional came from the IT department. We are at a crossroads today where we need to move security out from under IT and treat it as a business risk rather than a technical problem.

Information security is a business risk, not simply a technical risk. According to the IBM Cost of a Data Breach study, it takes an average of 287 days to identify and contain a data breach. This number illustrates how vulnerable businesses are. Elevating CISOs to the C-suite grants them the necessary visibility to tackle this substantial problem.

Data breaches can have public relations, human resources and legal implications. Individuals responsible for securing these environments must have knowledge of, and access to, staff that owns these responsibilities. A security manager in an IT department has neither. Organizations will continue to suffer data breaches (and struggle to address them quickly) as long as they treat information security as an IT problem.

Conflicts of Interest Between CISOs and CIOs

A very common complaint I hear from CISOs is that they do not receive the resources they need to secure their enterprises. While some companies understand how and where the CISO fits into the leadership structure, the majority do not. One individual that works for a local government told me he took a position as a CIO rather than a CISO because he “knew the CISO role was that of a fall guy.” He believes he was only offered the CISO position because the CIO wanted someone to blame if things went badly. This example clearly shows the conflict of interest that exists when a CISO reports to a CIO.

One CISO working in the industrial market told me that there’s an “inherent tension between me and others that report to the CIO.” This frequently occurs due to the trade-off between security and efficiency, which impacts business units throughout an enterprise. When manufacturing wants to continue running a legacy system with outdated software and the CISO says no, this impacts revenue. When the CIO manages both the security team and the team that manages revenue-generating systems, that individual might make a decision that is not in the best interest of the organization as a whole.

A CISO in the financial services market bluntly told me: “Yes, it is a conflict of interest reporting to the CIO.” The CIO at this firm would withhold information from the rest of the C-suite when he felt it would reflect negatively on him or his IT teams. But this same CIO had no problem blaming the CISO when there were impacts to productivity from security measures or conflicts between security and other IT departments. While individuals handle communication and decision-making differently, there can be no doubt that when security reports up through the IT organization, serious conflicts of interest are likely to occur.

Organizations Must Change

A CIO incentivized by short-term productivity is likely to make poor security decisions. When the CIO has incentives tied to output, security often takes a backseat. This puts the CISO, and the organization as a whole, in jeopardy. The CISO who reports to the CIO has no control over decisions that impact security risk. Having a CISO as a peer to the CIO alleviates this conflict of interest. It also holds true to the original meaning of “C-level” leadership, creating an executive team that advocates for the different priorities and policies that keep a business on the right track.

IT has shifted tectonically over the past 30 years, and information security has become a discipline in its own right in the past 10 years. We are now at a crossroads which requires recognizing that CISOs should come from outside the IT organization. Too many bad decisions have been made due to the conflict of interest between security and IT leadership.

As Marc Crudgington asserts in The Coming Cyber War, “Cyber Security is an enterprise-wide risk management issue — there is no backing away anytime soon from this reality.” Moving the CISO into alignment with the rest of the C-suite allows business risk drivers to inform security decisions. Providing CISOs with proper authority and alignment with other C-suite executives empowers organizations and enhances cybersecurity resilience.

More from CISO

Empowering cybersecurity leadership: Strategies for effective Board engagement

4 min read - With the increased regulation surrounding cyberattacks, more and more executives are seeing these attacks for what they are - serious threats to business operations, profitability and business survivability. But what about the Board of Directors? Are they getting all the information they need? Are they aware of your organization’s cybersecurity initiatives? Do they understand why those initiatives matter? Maybe not. According to Harvard Business Review, only 47% of board members regularly engage with their CISO. There appears to be a…

The evolution of 20 years of cybersecurity awareness

3 min read - Since 2004, the White House and Congress have designated October National Cybersecurity Awareness Month. This year marks the 20th anniversary of this effort to raise awareness about the importance of cybersecurity and online safety. How have cybersecurity and malware evolved over the last two decades? What types of threat management tools surfaced and when? The Cybersecurity Awareness Month themes over the years give us a clue. 2004 - 2009: Inaugural year and beyond This early period emphasized general cybersecurity hygiene,…

C-suite weighs in on generative AI and security

3 min read - Generative AI (GenAI) is poised to deliver significant benefits to enterprises and their ability to readily respond to and effectively defend against cyber threats. But AI that is not itself secured may introduce a whole new set of threats to businesses. Today IBM’s Institute for Business Value published “The CEO's guide to generative AI: Cybersecurity," part of a larger series providing guidance for senior leaders planning to adopt generative AI models and tools. The materials highlight key considerations for CEOs…

Bringing threat intelligence and adversary insights to the forefront: X-Force Research Hub

3 min read - Today defenders are dealing with both a threat landscape that’s constantly changing and attacks that have stood the test of time. Innovation and best practices co-exist in the criminal world, and one mustn’t distract us from the other. IBM X-Force is continuously observing new attack vectors and novel malware in the wild, as adversaries seek to evade detection innovations. But we also know that tried and true tactics — from phishing and exploiting known vulnerabilities to using compromised credentials and…

Topic updates

Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today