To Whom Should The CISO Report?

I met with some security professional friends last night for ribs, beers, and lively security chatter. One of our discussion points was about the organizational position and role of the CISO. Most CISOs in both the public and private sector report into the IT department, typically to the CIO or one of his or her subordinates. My highly experienced dinner guests remarked that throughout their careers, this has been a recipe for disaster. Why? CIOs are paid to bring new business applications on line, maintain SLAs, and make sure that IT services are available when users hit the enter key. In fact CIO bonuses are often tied to metrics around these principles. For security executives to manage risk however, they have to have the authority to delay application deployment or take IT resources off-line if they make the organization more vulnerable to some type of security threat. Since the CISO is subservient to the CIO, the CISO can provide information or even warn the CIO of imminent disaster, but the CIO has the ultimate authority to heed or disregard these warnings. Unfortunately, money often trumps caution (or even morality) so CIOs frequently disregard the CISO’s councel and place their organization in an incredibly risky posture. Why are there so many publicly-disclosed breaches? Here’s one reason. This may sound like an extreme case but I assure you that it happens all the time. Recognizing this dilemma, Senators Lieberman and Collins added a provision in their cybersecurity bill (S.3480) that would demand that federal department leaders delegate to a senior agency officer, designated as a CISO, “the authority and budget necessary to ensure and enforce compliance with” federal security requirements. In other words, CISOs would report to department heads, (i.e. not CIOs) and that CISOs would have the authority and resources to stop the IT trains if they felt like were exceedingly vulnerable to attack or way out of compliance. Yes, this provision caused a big scrum between CIOs, CISOs, security professionals, and technology vendors and in true Washington fashion it will probably get watered down or take years to resolve. That said, just the fact that this type of legislative change was even suggested demonstrates that the existing system has inherent conflicts of interest and doesn’t work.As for the private sector, CEOs, corporate boards, and shareholders should take note. If federal CIOs are sometimes eschewing security best practices and in so doing increasing organizational risk, it is likely that it is happening at some of your organizations as well. As you internalize this, you should also imagine your picture on the front page of the Wall Street Journal (above the fold?) because of some massive security breach at your organization. How can this be fixed? As suggested by the Senate bill, CISOs could report to someone other than the CIO, like the chief risk officer, legal department, or even the CEO. If this move is deemed to radical, perhaps the CISO could become a CIO peer with each individual’s compensation based upon both IT and risk management metrics. At the very least, CIO compensation MUST include some accountability for managing organizational risk so any security breach based on sloppy negligent practices should be cause for CIO termination.I am a security geek so debates like this make for lively dinner conversation. Unfortunately, these issues need to be debated at the highest organizational levels and not just over ribs and beers. I strongly encourage executives to show some leadership in this area since we are all at risk here.