Target’s recent appointment of Brad Maiorino was received with great fanfare this past week, an indication that Target was willing to bring in the “big guns” to address security in the wake of last Fall’s massive data breach at the big box retailer. But the disclosure that the position will report to Target’s CIO has rekindled the debate about what the most effective reporting structure should be for the CISO to deliver better overall security.
In last week’s ‘SANS Newsbites’ newsletter, Stephen Northcutt, Shawn Henry and John Pescatore debated the wisdom of this reporting structure with Northcutt and Henry arguing that it diminishes the effectiveness of the CISO. Pescatore, on the other hand, claimed, “there is zero real-world correlation that security goes up - or down (when the CISO reports to the CIO)”. While I agree with John that the relationship between the CISO and his/her boss is critically important to the CISO’s success, I am compelled to point out that there actually is empirical data supporting the argument that having the CISO reporting outside of the CIO’s office does improve the organization’s security when measured against downtime and financial losses.
This finding comes from the 2014 Global State of Information Security Survey, conducted each year, for more than a decade, by PwC, CSO and CIO magazine. I’ve not previously called-out this data because I thought this argument had been put-to-bed…apparently I was wrong. So here it is:
- with more than 9,000 respondents from around the globe, the survey found that those organizations in which the CISO reported to the CIO experienced 14% more downtime due to cyber security incidents than those organizations in which the CISO reported to the CEO
- and, when the CISO reported to the CIO, financial losses were 46% higher than when the CISO reported to the CEO. In fact, having the CISO report to almost any position in senior management other than the CIO (Board of Directors, CFO, etc.), reduced financial losses from cyber incidents
I also examined the findings from the 2013 survey and found the same basic conclusion: reporting to the CEO or the Board of Directors, instead of the CIO, significantly reduces downtime and financial losses resulting from cyber security incidents.
I’ve always believed that not every organization is the same and that no one model will work everywhere. However, there’s a lot to be said for having IT security leadership report to the top of the house, but not to the CIO: the reduction in conflict of interest between the CIO’s objectives and the CISO’s objectives, the ability to escalate issues to the top of the house, as well as, the opportunity it provides for security to influence corporate leadership. It's critical that the CISO and the CIO work together towards the common goal of aligning security with the business objectives and risk appetite of the organization, but it's clearly best done when they are peers with an equal voice in the discussion.