It’s not uncommon to see CSOs or CISOs reporting to the CEO rather than the CIO. While each company has its own reason for organizational and reporting structure, where that CSO sits and to whom they report to undoubtedly affects internal relationships within the company. That includes the critical relationship between CISO and CIO.
Speaking at the UK CIO Summit in London, two CIOs discuss their relationship with security and how their roles work with the security function.
CSOs rarely peers with the CIO in the UK
According to the results of the UK CIO 100 survey, around 65% of companies in the UK have a CISO or equivalent who reports to the CIO function. Just 12% of organizations say the CISO is a peer to the CIO, which, after a three-fold increase in recent years, has decreased slightly on last year’s figure.
This is behind the US, where the 2019 State of the CIO survey found nearly a quarter of CISOs or equivalents reported to the CEO – 43% of CSOs, 18% of CISOs – with just 45% reporting to the CIO. Wherever, they sit, however, CISO should endeavor to keep CIOs on their side.
CIO/CSO collaboration is key
As CIO for global operations at News Corp, Sabah Carter oversees the company’s facility in Bangalore, which has data engineering, product engineering, security and infrastructure operations and works across all the company’s flagship products, which include News UK, the Dow Jones & Company, and News Australia. Other business units have their own CIOs and CISOs who look after various geographies, services and product lines in what she describes as a “heavily matrixed structure.”
“I find the best way to navigate that is to draw very tight boundaries. I had a very interesting conversation this week with my CISO and the group CISO talking about who was responsible, and I ended up saying, 'Well, if something comes out of Bangalore and it's not right, my neck’s on the line. So, having a CISO report to me definitely benefits that control, where I think I would probably lose that if I didn't have it.’”
As well as reporting to Carter, her CISO also reports to the general counsel, which has benefits both in terms of budgets and board awareness. “If [a CISO] is working for the CTO or the CIO, then the onus is on that person to work out how to make everything work within the [CIO’s] budget and they get a lot of pressure from CEOs,” she says. “If that person is actually dotted into the CEO or the general counsel, now that risk is shared at that board level, and it's very hard to say no to something at that level then. You're not feeling like you're actually having to justify [security spending]."
“I feel that I'm controlling a lot of the delivery security aspects within my budget, but if it's impacting the potential brands globally, and then someone else is having to make a case and the board level, and that's really helpful,” said Carter.
Carter said that whatever the reporting structure, it is key to collaborate and work together. “If you have a culture where people get rewarded for outing each other, then you're going to have that issue,” she said. “If a CISO's job is to run assessments and show where the network security is bad, or where we've done a poor job on something else, then obviously you're setting up in a hostile environment, two opposing factors.”
“Not too long ago, someone was promoting that they wanted to do companywide security assessments across all the different CIOs, and we all rejected that, because what we didn't need was someone marking our homework,” said Carter. “That's absolutely the wrong setup.”
Instead, Carter argued the CIO and CISO should be working together to find solutions in tandem, rather than pointing fingers and allocating blame. “I don't want anyone to come to me and tell me they found something else about their peers, because the response is always, ‘Why was it like that? Do you have a plan? Don't come back to me until you to get a plan, together.’”
CSOs need to show trust in CIOs
CSOs need to be aware that some CIOs might not view the arrival of a new security executive – especially if the position has recently been created – as an entirely positive thing if they have previously been solely responsible for security. “I wonder if the parallel model [CIOs and CSOs sitting at the same level within the organization] actually undermines the CIO role,” said Alan Hill, chief information and digital officer at the University of Exeter, “because we should be operating in the best interest of the business, and I feel able personally to balance those risks of the technology solutions with the risks to the business.”
As the university doesn’t have a CSO, Hill is responsible for security. The university does have a senior information risk owner role (the registrar, the equivalent of deputy CEO) who owns risk within the university, who allows Exeter to combine business and technical risks into one place. He thinks, for smaller organizations at least, there is often no need for a CISO if there is already a CIO in place.
“This ability to look at threats, interpret them, and put them into the business and come up with policies and guidance and investments around that, that's my business. I think we as a CIO community absolutely get that. If I was in that position and they put in a CISO, I'd be feeling slightly aggrieved. It means you don't trust me to do my job.”
“There's a challenge there for people,” Hill continued. “Is it actually, are we not doing our job properly as CIOs, therefore you need a CISO and a CIO, or am I missing the point?”