Cybersecurity plays a critical role in enterprises today. It has evolved from playing a fringe role to one that impacts every person in every business developed over the past 15 years. This shift will continue as we see not only more frequent attacks but also more devastating effects from cyber breaches.
A critical change in how organizations treat cybersecurity revolves around the reporting structure for chief information security officers (CISOs). One reason that there are more frequent and more severe breaches relates to CISOs not having a proper “seat at the table” with the executive team.
Where Should the CISO Fit in the C-Suite?
For more accountability, a CISO should report to the chief executive officer (CEO) or another C-suite executive who is not the chief information officer (CIO). Creating strong integration and interaction between the CISO and the rest of the C-suite creates enhanced resilience and protection for organizations.
Historically, information security professional roles developed out of the information technology (IT) discipline. Firewalls were one of the initial critical security devices, and the networking teams were responsible for these systems. Next came intrusion detection and prevention systems. More components developed out of networking and IT, such as proxy servers, email protection, identity and access management and so on.
With IT leading the way for information security, it made sense that the senior security professional came from the IT department. We are at a crossroads today where we need to move security out from under IT and treat it as a business risk rather than a technical problem.
Information security is a business risk, not simply a technical risk. According to the IBM Cost of a Data Breach study, it takes an average of 287 days to identify and contain a data breach. This number illustrates how vulnerable businesses are. Elevating CISOs to the C-suite grants them the necessary visibility to tackle this substantial problem.
Data breaches can have public relations, human resources and legal implications. Individuals responsible for securing these environments must have knowledge of, and access to, staff that owns these responsibilities. A security manager in an IT department has neither. Organizations will continue to suffer data breaches (and struggle to address them quickly) as long as they treat information security as an IT problem.
Conflicts of Interest Between CISOs and CIOs
A very common complaint I hear from CISOs is that they do not receive the resources they need to secure their enterprises. While some companies understand how and where the CISO fits into the leadership structure, the majority do not. One individual that works for a local government told me he took a position as a CIO rather than a CISO because he “knew the CISO role was that of a fall guy.” He believes he was only offered the CISO position because the CIO wanted someone to blame if things went badly. This example clearly shows the conflict of interest that exists when a CISO reports to a CIO.
One CISO working in the industrial market told me that there’s an “inherent tension between me and others that report to the CIO.” This frequently occurs due to the trade-off between security and efficiency, which impacts business units throughout an enterprise. When manufacturing wants to continue running a legacy system with outdated software and the CISO says no, this impacts revenue. When the CIO manages both the security team and the team that manages revenue-generating systems, that individual might make a decision that is not in the best interest of the organization as a whole.
A CISO in the financial services market bluntly told me: “Yes, it is a conflict of interest reporting to the CIO.” The CIO at this firm would withhold information from the rest of the C-suite when he felt it would reflect negatively on him or his IT teams. But this same CIO had no problem blaming the CISO when there were impacts to productivity from security measures or conflicts between security and other IT departments. While individuals handle communication and decision-making differently, there can be no doubt that when security reports up through the IT organization, serious conflicts of interest are likely to occur.
Organizations Must Change
A CIO incentivized by short-term productivity is likely to make poor security decisions. When the CIO has incentives tied to output, security often takes a backseat. This puts the CISO, and the organization as a whole, in jeopardy. The CISO who reports to the CIO has no control over decisions that impact security risk. Having a CISO as a peer to the CIO alleviates this conflict of interest. It also holds true to the original meaning of “C-level” leadership, creating an executive team that advocates for the different priorities and policies that keep a business on the right track.
IT has shifted tectonically over the past 30 years, and information security has become a discipline in its own right in the past 10 years. We are now at a crossroads which requires recognizing that CISOs should come from outside the IT organization. Too many bad decisions have been made due to the conflict of interest between security and IT leadership.
As Marc Crudgington asserts in The Coming Cyber War, “Cyber Security is an enterprise-wide risk management issue — there is no backing away anytime soon from this reality.” Moving the CISO into alignment with the rest of the C-suite allows business risk drivers to inform security decisions. Providing CISOs with proper authority and alignment with other C-suite executives empowers organizations and enhances cybersecurity resilience.