[BreachExchange] Is 2019 the Year of the CISO?

[Destry Winant]

https://www.darkreading.com/risk/is-2019-the-year-of-the-ciso/a/d-id/1335192

PwC reported that 81% of investors and analysts responding to its 2018
Global Investor Survey ranked cybersecurity among the top three
threats to business; more than half of those said that cybersecurity
was the No. 1 biggest threat to business. The natural upshot should be
that the CISO is more important to business strategy — but in many
cases, that's an uphill climb.

The traditional view of the CISO is that of a specialized mini-CIO —
existing to achieve compliance, put out security fires, and stand in
as a scapegoat for when something inevitably goes wrong so the CIO
doesn't have to take the heat. A case in point: Target had no CISO
when it suffered its infamous point-of-sale mega breach in 2013;
consequently, it was Target's then CIO who was compelled to resign
shortly thereafter. Only then did Target create and filla CISO
position, answering to the new CIO.

Across both the private sector and the public sector, the plurality of
CISOs report to the CIO. A subset of enterprise organizations,
however, are increasingly realizing that this is a suboptimal
approach.

For starters, many have recognized that a CIO having a CISO answer to
him or her presents a conflict of interest because the CIO and CISO
each have different budgetary interests and are measured against
different objectives. Whereas CISOs are so security-driven that
"security" is right in their job titles, CIOs are pressured to make
decisions that favor business agility above all else; security is an
afterthought compared with functional viability. Meanwhile, CISOs have
"security" in their job titles for a reason — but a CISO who reports
to a CIO or other IT operations manager is unlikely to report his or
her boss to the legal department for inevitable compliance failures.

Over the past few years, Congressional staffers, federal, and state
regulatory bodies, and industry collaboratives alike have made these
same observations — specifically dictating that CISOs report to a risk
officer, the general counsel, the CEO, or even straight up to the
board of directors. Lately, these recommendations and requirements
have begun to take hold. A May 2018 industry report from Dark Reading
about the role of CISOs notes that the CISOs have at least a "dotted
reporting structure" — if not a direct one — to boards and/or CEOs.
And this reporting structure is crucial when it comes not only for
mitigating liability and compliance risks (i.e., so that, after an
inevitable data breach, the company can show regulators that its board
of directors and CEO met with the CISO on cybersecurity issues x
number of times every year), but also for crafting cybersecurity and
data-stewardship solutions for effective business strategy going
forward. Without the CISO, boards and CEOs may not even be able to
identify the right questions to ask or the right problems to solve in
the first place.

The whole concept of a CIO indicates that that person has full control
of the company's infrastructure and IT decisions. A CISO would
typically be a part of that, but that's not necessarily reflective of
what the pecking order should be. Just because the CISO will work
extensively with the CIO doesn't mean that the CISO should report to
the CIO — just like the general counsel shouldn't report to the
executive vice president of sales just because the legal department
has to work extensively with the sales teams. These are separate
entities working together incidentally — and the IT team and the
information security team are likewise separate from each other.

This is because the CISO position is no longer a niche technology
role. Cyber presence is sufficiently ubiquitous today that, for many
enterprise organizations, the Internet is their primary (if not only)
go-to-market platform. In this environment, the CISO's job must be one
to step to the forefront and evangelize the following bullet points:

- "We are under attack." There are constant attempted cyberattacks —
usually automated — every single day against every major enterprise.
- "Our attackers will succeed, eventually." Everybody's being
breached. We, too, will be breached someday (assuming we haven't been
breached already). We must be prepared with the knowledge and tools to
minimize and respond both during and after a breach.
- "Cybersecurity is a business issue — not a tech issue." How we
manage our cyber presence and secure our data drastically affects our
ability to do business — from an accessibility standpoint, from a
brand-trust standpoint, and from a regulatory compliance standpoint.

All of these bullet points combined make for a grander and more
important message, which is one that investors already know:
"Cybersecurity is about extreme monetary risk."

And there you have it. CISOs deal with far heavier risk assessment and
risk management issues than do generalist IT leaders — to the point
where their job is all about risk and only incidentally about IT,
rather than the other way around. The CISO job therefore needs to just
be part of the organization's risk hierarchy instead of the IT
department. The CISO is, first and foremost, a risk manager — a
digitally present risk manager, but a risk manager nonetheless.

Let the CISO answer accordingly.