The question of who’s the CISO‘s boss is an old one, and there’s still no single answer. I reported on it a year ago. Some say the IT security chief should not report to the overseer of IT initiatives, the CIO, because cybersecurity could come into conflict with technology innovation. Others say the CISO should report directly to a business-side executive to “translate infosec risk into business risk,” said Nemertes Research founder Johna Till Johnson.
So when I spoke recently to Scott Weller, co-founder of Boston cloud startup SessionM, about a new IT security role he’s designing there, I thought it was a good occasion to reopen the debate. He’s a good one to ask. He’s the CTO — as well as the acting CISO — at the nearly six-year-old company.
“Your CISO needs to report directly to the CEO,” Weller said. “The CISO has to be very transparent around building an apparatus that can report issues and challenges and exposure to certain security issues.”
Hail to the new chief
SessionM sells a cloud platform that helps companies personalize marketing messages. The company is writing the job description for a CISO-like position it’s calling a chief cloud security officer. Weller described the role as an IT security person familiar with “the old world” of physical servers who also knows cloud computing inside and out and can identify cloud-specific security problems. Unlike a typical CISO, though, the executive won’t aim to protect just the immediate computing environment from threats — he or she will help the provider’s customers guard against them as well.
It’s a new IT security role, but it will likely fit into the CISO reporting structure SessionM already has in place: The boss is the chief executive, and the CTO and CISO are linked, of course, because Weller holds both positions. When the new hire is in place, Weller will be linked to the position through a dotted line. That means “their roadmaps are aligned,” and they will both be held accountable by the CEO to manage security problems as they emerge.
“Ultimately, it’s the role of CTO and that organization that executes technology implementation to actually take what the chief security officer is recommending and that strategy and build that apparatus into the organization,” Weller said.
‘Potential for ignorance’
He’s been in organizations in which IT security was the purview of engineering or technology execs — and sometimes less-than-ideal decisions regarding security were made.
“There is a potential for ignorance to emerge around, ‘What are our threats? What are our core priorities? How do we address those?'”
It’s important, Weller said, for a CISO — and the new IT security role — to keep the CEO and even the board of directors informed on what the risks are and what security incidents happen when they happen. They should know about attempted breaches, for example, or ransomware attacks, and how to fend off future offensives. That way, “the team together can make a collective decision on how they respond to those types of things.”
The chief cloud security officer position started at cloud providers such as Amazon and Microsoft. Learn more about it in this SearchCIO report.