Cybersecurity plays a critical role in enterprises today. It has evolved from playing a fringe role to one that impacts every person in every business developed over the past 15 years. This shift will continue as we see not only more frequent attacks but also more devastating effects from cyber breaches.

A critical change in how organizations treat cybersecurity revolves around the reporting structure for chief information security officers (CISOs). One reason that there are more frequent and more severe breaches relates to CISOs not having a proper “seat at the table” with the executive team.

Where Should the CISO Fit in the C-Suite?

For more accountability, a CISO should report to the chief executive officer (CEO) or another C-suite executive who is not the chief information officer (CIO). Creating strong integration and interaction between the CISO and the rest of the C-suite creates enhanced resilience and protection for organizations.

Historically, information security professional roles developed out of the information technology (IT) discipline. Firewalls were one of the initial critical security devices, and the networking teams were responsible for these systems. Next came intrusion detection and prevention systems. More components developed out of networking and IT, such as proxy servers, email protection, identity and access management and so on.

With IT leading the way for information security, it made sense that the senior security professional came from the IT department. We are at a crossroads today where we need to move security out from under IT and treat it as a business risk rather than a technical problem.

Information security is a business risk, not simply a technical risk. According to the IBM Cost of a Data Breach study, it takes an average of 287 days to identify and contain a data breach. This number illustrates how vulnerable businesses are. Elevating CISOs to the C-suite grants them the necessary visibility to tackle this substantial problem.

Data breaches can have public relations, human resources and legal implications. Individuals responsible for securing these environments must have knowledge of, and access to, staff that owns these responsibilities. A security manager in an IT department has neither. Organizations will continue to suffer data breaches (and struggle to address them quickly) as long as they treat information security as an IT problem.

Conflicts of Interest Between CISOs and CIOs

A very common complaint I hear from CISOs is that they do not receive the resources they need to secure their enterprises. While some companies understand how and where the CISO fits into the leadership structure, the majority do not. One individual that works for a local government told me he took a position as a CIO rather than a CISO because he “knew the CISO role was that of a fall guy.” He believes he was only offered the CISO position because the CIO wanted someone to blame if things went badly. This example clearly shows the conflict of interest that exists when a CISO reports to a CIO.

One CISO working in the industrial market told me that there’s an “inherent tension between me and others that report to the CIO.” This frequently occurs due to the trade-off between security and efficiency, which impacts business units throughout an enterprise. When manufacturing wants to continue running a legacy system with outdated software and the CISO says no, this impacts revenue. When the CIO manages both the security team and the team that manages revenue-generating systems, that individual might make a decision that is not in the best interest of the organization as a whole.

A CISO in the financial services market bluntly told me: “Yes, it is a conflict of interest reporting to the CIO.” The CIO at this firm would withhold information from the rest of the C-suite when he felt it would reflect negatively on him or his IT teams. But this same CIO had no problem blaming the CISO when there were impacts to productivity from security measures or conflicts between security and other IT departments. While individuals handle communication and decision-making differently, there can be no doubt that when security reports up through the IT organization, serious conflicts of interest are likely to occur.

Organizations Must Change

A CIO incentivized by short-term productivity is likely to make poor security decisions. When the CIO has incentives tied to output, security often takes a backseat. This puts the CISO, and the organization as a whole, in jeopardy. The CISO who reports to the CIO has no control over decisions that impact security risk. Having a CISO as a peer to the CIO alleviates this conflict of interest. It also holds true to the original meaning of “C-level” leadership, creating an executive team that advocates for the different priorities and policies that keep a business on the right track.

IT has shifted tectonically over the past 30 years, and information security has become a discipline in its own right in the past 10 years. We are now at a crossroads which requires recognizing that CISOs should come from outside the IT organization. Too many bad decisions have been made due to the conflict of interest between security and IT leadership.

As Marc Crudgington asserts in The Coming Cyber War, “Cyber Security is an enterprise-wide risk management issue — there is no backing away anytime soon from this reality.” Moving the CISO into alignment with the rest of the C-suite allows business risk drivers to inform security decisions. Providing CISOs with proper authority and alignment with other C-suite executives empowers organizations and enhances cybersecurity resilience.

More from CISO

How to Solve the People Problem in Cybersecurity

You may think this article is going to discuss how users are one of the biggest challenges to cybersecurity. After all, employees are known to click on unverified links, download malicious files and neglect to change their passwords. And then there are those who use their personal devices for business purposes and put the network at risk. Yes, all those people can cause issues for cybersecurity. But the people who are usually blamed for cybersecurity issues wouldn’t have such an…

The Cyber Battle: Why We Need More Women to Win it

It is a well-known fact that the cybersecurity industry lacks people and is in need of more skilled cyber professionals every day. In 2022, the industry was short of more than 3 million people. This is in the context of workforce growth by almost half a million in 2021 year over year per recent research. Stemming from the lack of professionals, diversity — or as the UN says, “leaving nobody behind” — becomes difficult to realize. In 2021, women made…

Backdoor Deployment and Ransomware: Top Threats Identified in X-Force Threat Intelligence Index 2023

Deployment of backdoors was the number one action on objective taken by threat actors last year, according to the 2023 IBM Security X-Force Threat Intelligence Index — a comprehensive analysis of our research data collected throughout the year. Backdoor access is now among the hottest commodities on the dark web and can sell for thousands of dollars, compared to credit card data — which can go for as low as $10. On the dark web — a veritable eBay for…

Detecting the Undetected: The Risk to Your Info

IBM’s Advanced Threat Detection and Response Team (ATDR) has seen an increase in the malware family known as information stealers in the wild over the past year. Info stealers are malware with the capability of scanning for and exfiltrating data and credentials from your device. When executed, they begin scanning for and copying various directories that usually contain some sort of sensitive information or credentials including web and login data from Chrome, Firefox, and Microsoft Edge. In other instances, they…