[BreachExchange] Where Do CISOs Belong in an IT Org Chart?

Destry Winant destry at riskbasedsecurity.com
Fri Apr 5 09:23:47 EDT 2019 

https://www.informationweek.com/where-do-cisos-belong-in-an-it-org-chart/d/d-id/1334334

As security breaches continue to impact the bottom lines of major
businesses and institutions around the world, the role of the chief
information security officer (CISO) is taking on new prominence -- and
fueling existing controversies over where responsibility for data
security ultimately lies within the organization.

Typically, the CISO function has reported to the chief information
officer, but emerging trends in corporate management styles, such as
the creation of chief digital officers (CDOs) at many organizations,
are calling that hierarchy into question. In addition, some CIOs and
CISOs feel that there is a natural conflict of interest between their
two disciplines: While CIOs typically accelerate growth and adoption
of digital technologies to streamline operations and drive revenue,
CISOs tap the brakes in the name of security and privacy controls.

“As the business matures and understands that cyber risk is a business
issue -- not an IT issue -- the powers-that-be will start realizing
that having a CISO report to a CIO is an outright conflict of
interest,” says CISO Ayad “Ed” Sleiman of KAUST (King Abdullah
University of Science and Technology) in Saudi Arabia.

Traditionally, a CIO wants to deliver performance and functionality,
while the CISO provides security -- which impacts at least one, if not
both of those objectives in every project, Sleiman says. “Thus, it is
prudent to have the CISO report to higher function under risk, or
finance, or the CEO, or even the board. This ensures two things:
Proper governance can be employed, and conflict of interest is
removed.”

Drew Martin, CIO for fast-food maker Jack in the Box Inc. in San
Diego, says that CISOs should continue reporting into the CIO, but
their influence should not stop there. “I think every breach that gets
reported typically has two root causes: There’s always a technical
cause identified, but I’ve always believed that upon further
inspection, you can trace it back to ineffective governance,” he says.
This governance shortcoming can be due to the CISO not having enough
voice and objectivity in an organization, he adds.

To strike a better balance between the interests of growth and
enhanced security, Martin recommends that boards of directors
establish “a planned cadence within their enterprise risk management
framework and audit committees, to systematically assess information
security risks and confirm there are sufficient mitigation plans --
and associated funding and resources being allocated towards the
information security roadmap.”

“The battle for where the CISO sits is far from over,” says Brandon
Johnson, CIO and EVP of corporate operations at the publicly traded
professional services firm Resources Global Professionals. “The
challenge has been -- and continues to be -- that to manage
information security risks well requires a specialized set of skills,
but this must be balanced against the need to reduce internal conflict
of interest when allocating resources and having objectivity within
the business in addressing these risks.”

In midsize companies, the CISO role -- even if it's only a fractional
responsibility -- often rolls up to the CIO, since these organizations
tend to rely on a small team, or even a single person, to manage both
IT and data security needs. “I doubt this will change over time,”
Johnson says. However, “In larger companies where there is a
recognition that the CISO role is a gatekeeper and risk manager, I
believe it will shift more to the enterprise risk management function.
I don't see it reporting directly to CEOs yet, as it isn't a
stand-alone function, but that may occur over time.”

“Why not have two bosses?” suggests Mike Davis, CISO for Alliantgroup
LP, a national tax consulting services firm, based in Houston. “For
example, the military has two chains of command -- operational and
administrative -- which works well for managing the lifecycle of all
the activities and relationships needed,” says Davis, a former chief
systems engineer and information assurance (cyber) technical authority
for the U.S. Navy. “Why not report to the CIO for the operational
aspects, and the CDO or risk officer for the administrative side,
particularly for risk management. This second boss could also be the
COO or CEO, if there is no C-level risk officer, or if the company
wants to demonstrate their commitment to cyber risk overall.”

He adds that if he had to pick one corporate officer as boss to CISOs,
he’d choose the COO. “The CEO already has a wide span of control. The
CISO should be enhancing business operations and innovation -- as well
as reducing risk.”

More information about the BreachExchange mailing list