With the explosion of the Internet of Things, it’s time to rethink the CISO role — including who that role reports to. This was the consensus of a panel of security leaders at this month’s MIT Sloan CIO Symposium in Cambridge, Mass. The traditional reporting structure that puts security and risk officers under the IT organization doesn’t work in the age of Internet-connected things, they said.
The massive growth in the number of connected devices will create new and exciting opportunities for businesses, but it will also create more attack surfaces, the panel said. IoT equals more cyber-risks, better hackers and a flourishing black market for the stolen data from those devices. Indeed, IoT’s impact on security spending could be huge: from $6.89 billion in 2015 to $28.90 billion by 2020, according to an estimate by research firm Markets and Markets.
The IoT challenge for security leaders is two-fold: They need to convince their companies that security should be built into Internet-enabled products and services from the get-go; they also need to show the business and board members that security is an enabler, not an obstacle, to business processes.
That’s a big hurdle to clear, said Mark Morrison, senior vice president and CISO for State Street Corp. in Boston. In his experience, employees, including business leaders, don’t really get how security fits into business operations.
“We’re constantly balancing operations with security,” he said. “It’s a much larger challenge, because everything that people do with a computer, they expect to work miraculously.”
This lack of understanding goes both ways: IT leaders have often been guilty of pushing out tools for the business without completely understanding the business risks and requirements, said Sam Phillips, CISO for Samsung Business Services.
Reporting structure a barrier to cybersecurity
The first step in turning the tide of how the security function is viewed by the business is having the CISO role operate independently from the IT organization, Morrison and Phillips said.
Morrison’s State Street job is his fifth stint as a chief security officer, and he has always reported to the CIO.
But at State Street, Morrison also reports directly to the board. “I’m the only standing agenda item,” he said of board meetings, which meets nine times a year. Every time, he fields the same questions about cyber-risks: How serious are they? Does he have enough resources to do his job? All this while his boss, the CIO, sits by his side.
“What happens is this natural tension between operations and cybersecurity, and there’s only so much money. There’s only so much time and prioritization that can be allocated,” he said. The reporting structure makes it “hard to give a very honest answer.”
Phillips agreed that the current reporting structure has become a roadblock. In his previous CISO job, he started out reporting to the CIO, and found it difficult to keep security moving forward. One big issue was resources.
“I wanted money to drive security programs,” Philips said, but when security was “hidden off in someone else’s organization,” his programs often got short shrift. Eventually, he ended up reporting to the chief legal officer. This separation from IT allowed him to maintain his programs’ momentum.
“I think a lot of companies are going to see [CISOs and] chief risk officers reporting directly to the COO or CEO,” Morrison said. Phillips agreed, adding that he’s seen several other companies where these functions report directly to the audit committee or the board of directors.