Generally speaking, prior discussions on this subject have focused on two questions.
1. Where does the role of CISO belong in the organizational structure?
2. What are the “pros and cons” of various reporting structures?
So, why am I bringing this to your attention now? Because successful attacks on Big Data have become a much too frequent news lead. Information security and executive management have come under heavy fire in recent years due to a large number of high-profile data breaches (Yahoo, Target, Home Depot, Anthem BC/BS, the FBI, the Veterans Administration, and the list goes on). After each incident, someone must answer the questions: “How did this happen?” and “How do we prevent this from happening again?” The person in the “hot” seat is the person best able to answer these questions, namely the CISO.
CISOs are being roasted and not at comedy clubs. And you say, “Someone must be held responsible for allowing this to happen”. I agree about responsibility but I am skeptical of the sacrificial offering.
The CISO is an executive level position that exists to provide executive management with expert council and advice on matters of information security and asset protection. Unlike a Director of Information Security, the CISO has overall responsibility for information security management plus he or she would serve as a spokesperson representing INFOSEC to the executive committee. The success of the new CISO depends on accomplishing two meaningful goals within the first one hundred days:
1. developing a sound organizational foundation for the INFOSEC program and
2. demonstrating tactical progress to the members of the executive committee
To accomplish these objectives, the new CISO should not focus solely on technical details that may isolate the security organization from the key business operations. The CISO needs to be an integral part of the senior management team, not just the lead technical manager. A primary goal in the first 100 days should be to hire or select staff with the specialized skills that the INFOSEC program will require and then to organize this team in the most effective way possible.
If these objectives are known and generally accepted, why then do so many new CISOs fail? The answer is that achieving success demands that both personal and organizational characteristics are present A successful CISO possesses strong leadership and communication skills coupled with technical knowledge and vision. These personal characteristics suggest success, but the organization also has a responsibility to the CISO.
There are at least three keys to making the CISO role successful:
1) Independence — The CISO should be independent of influence or pressure from those involved in the day-to-day protection or purchase of corporate assets.
2) Empowerment – The CISO should be empowered to recommend, and upon agreement of the executive team, deploy all necessary processes, safeguards, and awareness training.
3) Organizational Position – The CISO should be positioned within the organization so as to facilitate his or her role as an enabler of “best practices”. It is essential that the implementation, audit, and enforcement of “best practices” should not be limited to IT. INFOSEC issues are business issues.
In 2016, the roles of CIO, CTO, and CISO are still restricted, in many cases, to issues concerning new or embedded technologies. This organizational issue may lead to a duplication of effort and confusion as to the correct course of action in an emergency, leading to a slower response time. Is there a better way?
To answer that, let’s consider the totality of vulnerabilities found in information security. Research indicates that vulnerabilities may fall under one of three categories:
1. People – intentional or unintentional actions by people cause over 50% of incidents
2. Process – good security is a process; every pen test or audit offers the opportunity to revise and improve your existing processes
3. Technology – is everywhere and therefore the likelihood of an exploitable vulnerability existing in your organization is high.
The Venn Diagram to the left illustrates what this relationship might look like. It is clear that the realms of people, processes, and technology overlap. Frequently, vulnerabilities are not isolated in silos that can be addressed simply by making technological changes. Consequently, approximately 50% of INFOSEC vulnerabilities are found in the realms of people, and process, not in technology. The role of CISO demands developing comprehensive solutions to complex business problems, therefore, its place in the organization should reflect that requirement.
A survey conducted in July 2014 by ThreatTrackSecurity found that:
1. 47% of CISOs report to the CEO or president,
2. 45% report to the CIO,
3. 4% to the chief compliance officer,
4. 2% to the COO or CFO
5. 2% to other
An additional finding of this 2014 survey was that legacy C-level managers view the role of CISO as a desirable add to the executive committee because they view the CISO as a scapegoat should the organization experience a catastrophic cyber breach. This finding confirms an opinion long held by the author of this article.
It would be wonderful (and too simple) if by writing this article, I could inform every organization and agency where the CISO(s) should reside in their respective hierarchies. Such a declaration would be hubris. The only person who can decide where your CISO belongs is “you”, the reader. By this, I mean someone with an in-depth understanding of the organization in question. That person may be a FTE or an experienced INFOSEC consultant. However, I can give you a framework from which you may base your decision.
1) The information security related roles of CIO, CTO, and CISO are all siloed in the same way. The best case is that they reinforce each other and present a solid front on matters of information security. The worst case leads to in-fighting which results in a fragmented security program. Attempting to manage a comprehensive, business focused security initiative from a siloed base will never work.
2) Since the CISO may be the newest addition to the executive team, there is a tendency to place the newcomer under the aegis of a mentor. This should be avoided.
3) Remember that your new CISO must be both technically skilled and a great communicator.
4) Remember the three keys to success: independence, empowerment, and organizational position
Now, let’s evaluate our three keys to CISO success against a hypothetical organization.
1) Reports to the CEO or President –
a. Independence – yes
b. Empowerment – yes
c. Organizational position – yes
2) Reports to CIO
a. Independence – no
b. Empowerment – maybe
c. Organizational position – no
3) Reports to Chief Compliance Officer
a. Independence – maybe
b. Empowerment – maybe
c. Organizational position – yes
4.) Reports to the COO or CFO
a. Independence – maybe
b. Empowerment – maybe
c. Organizational position – maybe
The Venn Diagram, referenced above, speaks to the concern that the CISO’s influence should not be siloed in IT without the capacity to affect business operations throughout the organization. It is possible that homing the CISO in IT may work, but my personal experience does not support this alternative.
Wherever the CISO is homed, there will be griping and complaints from the legacy C-levels. Some will want to claim the new member in order to extend their own influence. Others will want to avoid INFOSEC for fear of fallout from a data breach. This is life at the executive level.
The success of your chosen CISO should be dependent on his or her experience, skills, and an organizational scheme that recognizes security problems are business problems. After working through the above thought process, you now know where your CISO should be homed for the best chance of success.