If we look at the headlines surrounding recent data breaches, we might conclude that the role of the chief information security officer (CISO) has never been more critical to the success and sustained well-being of an organization. As a by-product of this statement, we also might surmise that the information security organization and where it reports into is also important. This is probably why every recent CISO event includes a conversation about where the CISO and information security program should reside within an organization. The challenge is that however healthy the debate, the question about where the CISO and his/her department should report generally ends with, ‘it depends’. To shift from a debate to productive action, maybe the question is not where should the CISO report into but why does it matter?
Frankly, it matters for a number of reasons, not the least of which is that the CISO (or head of information security) is now sharing the repercussions of data breach headlines along with the companies that they represent. This is a very troubling turn of events and why the topic of the role/reporting relationship of the CISO within an organization warrants further discussion and decisive action.
First, the discussion. The protection of information systems and data is integral to business operations, just like human resources and finance functions are foundational within most organizations. Additionally, just as human resources and finance executives are not responsible for the actions of every employee, the CISO is not responsible for the actions of every employee as it relates to information protection. In fact, just like other executives, CISOs are subject matter experts, who often interpret regulations, establish policy, influence employee behavior and monitor for appropriate outcomes.
Second, information security is not simply a technology problem. The National Association for Corporate Directors (NACD), provides very specific guidance stating that “cybersecurity is an enterprise-wide risk management issue, not just an IT issue.” This is an important point as companies expand their portfolio of third parties that manage critical company systems and data (often by-passing internal IT departments).
Third, if the CISO continues to receive equal media billing alongside their company when there is a data security breach, the CISO should have the authority to affect change on par with the CFO, CIO and other key executives. This includes a direct line of sight to the CEO and board of directors, and command of a budget that spans outside of the IT realm into all areas of the organization where cyber risk is introduced.
Now, the call to action. As a profession, information security is relatively immature. There is no one size fits all job description or reporting structure. Even CIOs can have different reporting lines based on the company: CEO, CFO, CAO – to name a few possible bosses. Within the CISO community there are also differences in education, business and technical acumen.
Given the shortage of skilled information security practitioners, let’s assume there is no silver bullet when it comes to the “right” reporting structure or personality type that will guarantee CISO success. However, based on numerous conversations, there is agreement that the information security program and its leader must be aligned to the corporate strategy. In order to achieve this, the CISO needs access to other C-level executives to ensure alignment/engagement; allowed to influence and affect employee behavior; authority to report progress and challenges; and receive corporate support should the inevitable ‘security event’ happen. And, per the NACD, cyber risk guidance needs to be managed as an enterprise risk, and a cross-functional team of key stakeholders should be assembled to develop an information security strategy.
While every organization will need to establish its own plan for addressing information security as an enterprise-risk, there are three activities that necessitate immediate action:
- Organizations need to examine the current reporting role of information security and the level of access to business executives to create clear visibility into all areas of cyber risk. The company should review how it will govern information security and how it will prioritize and fund its risk mitigation activities.
- Companies, academia and the information security industry must partner in the areas of training and coaching for the next generation of security leaders. There must be special emphasis on how to communicate and engage corporate stakeholders and the board.
- As information security breaches continue to make the front pages, organizations need to ensure that headlines don’t drive the information security program. The appropriate protection of data and systems is not a problem du jour and organizations need to assemble key stakeholders to begin strategy development sooner rather than later.
The role of the CISO will continue to evolve, and as recent events indicate there is still much to be done to increase the effectiveness of the CISO. It is critical to take the first steps to ensure that the role has the ability to engage at the appropriate level of the organization, and it has never been more important to build the leadership abilities of the CISO. Every organization should consider how they are addressing their cyber risk and what the role the CISO plays within the business.
About the Authors:
Brian Engle, CISA, CISSP, is chief information security officer and Texas cybersecurity coordinator for the State of Texas. He can be reached at firstname.lastname@example.org. Renee Guttmann is vice president of information risk and member of the Office of the CISO for Accuvant and formerly served as CISO of Coca-Cola. She can be reached at email@example.com.