The CIO should report to the CISO

And the CISO should report directly to the CEO.

drexel leadership primary
Thinkstock

Since the role of CISO was invented by Citibank in 1995 there have been frequent debates on reporting structure. The most common shape for that debate is: should the Chief Information Security Officer report to the CIO or the CEO?  As someone who lived through the great quality revolution in automotive, I have long advocated for the CISO to report directly to the CEO.  In recent months I have come to the further realization that it is time for the CIO to report to the CISO.

Let’s review quickly the early 1980s when Japan was at the top of its miraculous growth in manufacturing. In only a few decades it had moved from the world’s supplier of shoddily made trinkets to the top producer of quality automobiles. US manufacturers were churning out clunky rattle traps with tolerances measured in inches while new Toyotas and Hondas had tolerances measured in millimeters.

Ford, GM, and what was then Chrysler, embarked on a quality revolution. Remember Ford’s mantra? Quality is Job #1.  Much of the auto industry’s success came about from a simple fix to org structures. Every manufacturing plant had its quality department already, but the head of quality reported to the plant manager. He or she had no ability to enforce quality standards because the plant manager viewed shipping products as job #1.  The fix was to change reporting. The quality manager now reported to someone outside and above the plant manager. They were empowered to enforce quality at the expense of shutting down an entire plant if needed.

Security and quality bear a lot of similarities. I think it is safe to say that most organizations treat IT security as a necessary evil, an add-on, an after-thought. The most enlightened CISOs have managed to inculcate a consultative approach to security. They have created teams of internal consultants who are involved at the early stage of each new IT project or product development effort. At least they are at the table when critical decisions are made. Should we require two-factor authentication for our new app even though that will add friction to the enrollment process? Should we audit all the open source libraries we use? Can we justify collecting all that data from our customers in light of GDPR? 

But most CISOs still report to the CIO who controls their budget and is able to veto critical security requirements in favor of cost saving or other priorities. After all: business comes first.

There is one advantage to having the CISO report to the CIO.  In the event of a major breach the blame can be put on the CISO.  I think you will agree it is better not to have a breach than it is to have a scapegoat.

It is the CIO who decides to move the company to Office 365. It is the CIO who picks the VoiP solution. It is the CIO who orchestrates the move to the cloud and the consolidation of all the data centers. The CISO’s job is to ensure there are security controls over all these moves. They take on all the responsibility for the security implications but do not get to veto the wrong decisions. 

Turn that around. Put the CISO at the top of the org chart, reporting directly to the CEO and even having a seat on the board of directors. Now the CIO role is ancillary to security. She is still responsible for deploying new technologies and managing IT infrastructure, but her budget is controlled by the CISO. She knows that every proposed project will have to incorporate strong security justifications.

But wait. CISOs are very specialized. They are experts in regulatory compliance and comfortable putting out fires instead of building things that are secure. How can we flip flop the roles?

It has been 22 years since the CISO role was first introduced. There is supposedly a dearth of qualified people for the many open CISO positions posted every day on Linkedin. How will it be possible for organizations to signal their intention to make Security Job #1 if they cannot even find CISOs, let alone CISOs that can manage the entire IT department?  Simple.  Make the CIO the CISO and have him hire a CIO to do his old job. There are already a few instances of CISOs being promoted to CIO. Take advantage of those moments to elevate the CISO role. 

Another avenue is to recruit from a top ten financial institution. The CISOs there manage staff of thousands and budgets of well over $100 million. Of course, they are perfectly capable of taking on the CIO role at just about any large corporation. They will jump at the chance to finally build a secure enterprise, one that treats security as Job #1.

This article is published as part of the IDG Contributor Network. Want to Join?

NEW! Download the Winter 2018 issue of Security Smart