Digital security is approaching the realm of the sacred in the corporate world -- and the CISO is its new patron...
"Drop everything and get one now," advised Johna Till Johnson, president and founder of Nemertes Research.
Cybersecurity expert Candy Alexander agrees that organizations need to have one. "It's critical. Absolutely critical. I don't know how a business cannot."
What there's less agreement on, once a security executive is fixed in the corporate firmament, is the optimal CISO reporting structure. Should he or she take orders from an IT chieftain like the CIO? Maybe someone in operations or the legal department? Or should it be straight from the top, the CEO?
"This is very much a religious war. It's been happening ever since the term CISO came about," said Alexander, a former CISO and independent consultant.
According to a recent report by Cloud Security Alliance and Skyhigh Networks, 61% of organizations have a CISO. Of that number, 42% report to the CIO, 32% report to the CEO and 26% report to other executives, including the general counsel and the CFO.
The reason there's such debate on the CISO reporting structure has everything to do with why the CISO is so important in the first place: to safeguard a company's business from all information security threats. The wrong boss, the thinking goes, could exert undue influence from narrow quarters of the business, limiting the CISO's ability to do the job.
Information security brings to mind IT initiatives, which, of course, fall under the purview of CIOs, but overall digital security should not, Alexander said.
"They don't necessarily have that foresight, insight as to the security technologies and/or practices and methodologies which many of us who are in that field naturally live and breathe."
Variations on CISO reporting structure
More than just the person in charge of managing information security, a CISO needs to be the face of a company's information security strategy. He or she needs to work with top executives to make them aware that cybersecurity threats are business threats -- and then make sure that message makes its way down through the ranks, to midlevel managers and the business units under them.
If the CISO reports to the CIO, there could be a conflict between productivity and security, Alexander said. The CIO is charged with innovating to push forward revenue-generating business strategy -- bringing new applications online and making sure IT services are available for users when they need them -- which could, in theory, overshadow security initiatives. It happens a lot with budgets, Alexander said, with the CISO fighting with the CIO over what amount of funding should go to security instead of, say, business-enabling IT infrastructure.
"It's really hard to go to report to the executives of the company and sit there and talk about how IT needs to get with the program when your boss is sitting right there," she said. "You really don't want to do that."
The CISO shouldn't report to the CEO either, in Alexander's view. Often the power plays between the CIO and CISO call for the CEO to play referee, and the chief executive doesn't have time for that.
The right organizational structure differs from company to company, she said, but the COO often makes a good boss for the CISO, since that model brings security and risk awareness directly into the daily operations of the business. The CFO works, too, because that executive, responsible for the quality of financial reporting, understands the role of checks and balances that is so important to any security organization.
Above all, though, the CISO needs to be on equal footing with the CIO, Alexander said. That way, the CIO will take the CISO seriously when warning about an application or some other IT resource that poses a threat to the organization. The conversation between them shouldn't be "'Why can't you secure your perimeter?' It should be, 'Let's look at what we need to do together to go ahead and do that.'"
Partners on cybercrime
One organization where the CISO reports to the CIO and things hang together is Equinix, a Silicon Valley company that provides data center resources for organizations worldwide. George Do holds the top information security position, and he knows all about the debates swirling around the CISO reporting structure. Between the chiefs of IT and security, it can be adversarial and ultimately unproductive in some organizations, but not at Equinix. His boss there is CIO Brian Lillie.
"We're a data center company, but really our mission is to interconnect and interconnect our customers," Do said. The company carries that mission out with huge investments in IT and cloud computing. "The CIO is a huge stakeholder in that sense. And to me security should be in support of that; security shouldn't drive that, but it supports that."
Do does that by developing a security strategy for the company, which runs 145 data centers across the globe. In addition to risk assessment and plotting out long- and short-term goals, activities under his control include general operations like managing firewalls, drafting response plans to security incidents and deploying new technologies to reduce risks. He runs it all by Lillie, who gives feedback and signs off.
After Lillie, Do has to take his message about security and risk awareness to the rest of the company. He throws away the idea of managing security in an ivory tower, reaching out to co-workers using good, old-fashioned communication skills.
"We do it in a way where we rationalize the security policy, why we have the policy, why we do it in a certain way," Do said. "And nine out of 10 times a user gets it and gets behind it."
The business connection
Nemertes' Johnson recently interviewed companies about their security practices and found that the organizations with the most mature cybersecurity strategies had a CISO reporting directly to a business executive.
The study, which surveyed 17 organizations, found that the fewer "hops" from the CISO to the business side mapped directly to how prepared an organization was for current and future security challenges.
Johnson presented the research in a March 8 webinar. If a CISO is two or more hops away -- "you're reporting in to somebody who's reporting in to somebody who's reporting in to the business" -- it's on the lower end of the maturity scale. An organization with this twice-removed CISO reporting structure has the basic technology and staff necessary to combat cyberattacks, but it can't prevent problems from happening in the first place.
Reporting to the CIO is better, but that's still one hop away from a business exec the CISO needs the ear of.
"The fault isn't the CIO," Johnson said in an interview. "It's the CISO's job to translate infosec risk into business risk." Which businessperson the CISO should report to matters a lot less: It could be the CEO, CFO, COO or the chief risk officer.
The CISO should also have regular communications with the board of directors, Johnson said, giving updates every fiscal quarter to, say, an operating committee that does risk and compliance audits.
"It's not necessary that your person get out there and make a formal presentation to eight people around a fancy table with bone-china teapots," Johnson said. "It may be better that every other Thursday you're going out to eat in a local diner with the three guys that run the risk committee."
A former information security officer sounds off on CISO reporting structure
A crisis helps with forming information security plans
Spectacular data breaches spur CIOs to security action