As security breaches continue to impact the bottom lines of major businesses and institutions around the world, the role of the chief information security officer (CISO) is taking on new prominence -- and fueling existing controversies over where responsibility for data security ultimately lies within the organization.
Typically, the CISO function has reported to the chief information officer, but emerging trends in corporate management styles, such as the creation of chief digital officers (CDOs) at many organizations, are calling that hierarchy into question. In addition, some CIOs and CISOs feel that there is a natural conflict of interest between their two disciplines: While CIOs typically accelerate growth and adoption of digital technologies to streamline operations and drive revenue, CISOs tap the brakes in the name of security and privacy controls.
“As the business matures and understands that cyber risk is a business issue -- not an IT issue -- the powers-that-be will start realizing that having a CISO report to a CIO is an outright conflict of interest,” says CISO Ayad “Ed” Sleiman of KAUST (King Abdullah University of Science and Technology) in Saudi Arabia.
Traditionally, a CIO wants to deliver performance and functionality, while the CISO provides security -- which impacts at least one, if not both of those objectives in every project, Sleiman says. “Thus, it is prudent to have the CISO report to higher function under risk, or finance, or the CEO, or even the board. This ensures two things: Proper governance can be employed, and conflict of interest is removed.”
Drew Martin, CIO for fast-food maker Jack in the Box Inc. in San Diego, says that CISOs should continue reporting into the CIO, but their influence should not stop there. “I think every breach that gets reported typically has two root causes: There’s always a technical cause identified, but I’ve always believed that upon further inspection, you can trace it back to ineffective governance,” he says. This governance shortcoming can be due to the CISO not having enough voice and objectivity in an organization, he adds.
To strike a better balance between the interests of growth and enhanced security, Martin recommends that boards of directors establish “a planned cadence within their enterprise risk management framework and audit committees, to systematically assess information security risks and confirm there are sufficient mitigation plans -- and associated funding and resources being allocated towards the information security roadmap.”
[Editor’s note: Learn about how CISOs are adapting to an evolving security landscape in our analysis of a recent CISO benchmark study from Cisco.]
“The battle for where the CISO sits is far from over,” says Brandon Johnson, CIO and EVP of corporate operations at the publicly traded professional services firm Resources Global Professionals. “The challenge has been -- and continues to be -- that to manage information security risks well requires a specialized set of skills, but this must be balanced against the need to reduce internal conflict of interest when allocating resources and having objectivity within the business in addressing these risks.”
In midsize companies, the CISO role -- even if it's only a fractional responsibility -- often rolls up to the CIO, since these organizations tend to rely on a small team, or even a single person, to manage both IT and data security needs. “I doubt this will change over time,” Johnson says. However, “In larger companies where there is a recognition that the CISO role is a gatekeeper and risk manager, I believe it will shift more to the enterprise risk management function. I don't see it reporting directly to CEOs yet, as it isn't a stand-alone function, but that may occur over time.”
“Why not have two bosses?” suggests Mike Davis, CISO for Alliantgroup LP, a national tax consulting services firm, based in Houston. “For example, the military has two chains of command -- operational and administrative -- which works well for managing the lifecycle of all the activities and relationships needed,” says Davis, a former chief systems engineer and information assurance (cyber) technical authority for the U.S. Navy. “Why not report to the CIO for the operational aspects, and the CDO or risk officer for the administrative side, particularly for risk management. This second boss could also be the COO or CEO, if there is no C-level risk officer, or if the company wants to demonstrate their commitment to cyber risk overall.”
He adds that if he had to pick one corporate officer as boss to CISOs, he’d choose the COO. “The CEO already has a wide span of control. The CISO should be enhancing business operations and innovation -- as well as reducing risk.”