Paul Connelly has been in the Information Security field since starting his career at the National Security Agency in 1984. He was the first Information Security Officer at the White House, where he served under three Presidents. He was also a partner leading a regional cybersecurity consulting team at PricewaterhouseCoopers for six years. He retired in April from HCA Healthcare, the largest private sector healthcare provider in the US after twenty years as their Chief Information Security Officer. He now serves as a technical advisor, educator, and board member.
Cyberattacks are shutting down critical systems and operations across all industries, and organizations are paying tens of millions of dollars for defenses and insurance, and potentially 10X-20X more if they have breaches. Given this immense risk, organizations need to look at every lever at their disposal to optimize their cybersecurity program. Changing the reporting structure of the Chief Information Security Officer (CISO) may provide a no-cost opportunity for significant improvement.
The most common and traditional reporting of the CISO position has been to the head of IT/CIO. In other cases, the CISO may report to the head of Legal, Compliance, or Risk. These reporting structures have been the historical standards, as cybersecurity was primarily focused on IT infrastructure and compliance, and the CISO was in middle management. CISOs tend to be heads-down focusing on the people, processes, and technologies that make up the bread and butter of their programs, and reporting structure may be assumed as a given. Challenging reporting structure can be politically risky, as well. So – this reporting made sense in the past, and for many reasons, including inertia needed to change, it has stayed that way.
Does it make sense in today’s risky environment? Business risks in cybersecurity drive the need for the modern CISO to have greater engagement across the organization than in the past. Around the world, regulatory bodies are making it clear – top leadership needs to be directly engaged in cybersecurity, boards are being pushed to add cybersecurity expertise, and it is not just an IT or compliance issue, or something to be buried under layers of management. Organizations should look to maximize the effectiveness of their CISO, commensurate with today’s level of risk and focus.
Success factors for the modern CISO include:
- Resources – Having the right people and technology.
- Visibility – Being positioned to see what is happening day-to-day and have early warning of what is coming around the corner in the business; and to be seen by business leaders and the workforce.
- Voice – Unfettered ability to interact with top leadership, business units, and the workforce. A CISO may have to call “All hands on-deck” or raise a risk with a key business initiative, and they need backing from senior leadership and the board to give that voice credibility.
- Partnership – Working with business leaders who understand and “own” their part of the cybersecurity risk.
- Decisions made at the top – Decisions on cybersecurity budget, staffing, and resolution of risks should be made at the CEO’s senior leadership table, not within IT or another business unit.
The right reporting structure can boost all of these CISO success factors. The ideal scenario is to move the CISO out from under layers of management, make them an equal business leader at the senior table, and enable them to directly present the risks, program strategy, issues, and resource requests to top leadership and the board. In most organizations, this means reporting to the CEO, CFO, or COO.
How and why this change can help
CIOs, Chief Legal Counsel, and other senior executives that oversee CISOs in legacy reporting structures have broad spans of responsibility and are likely not cybersecurity experts. These other leadership roles require different skills and background, have different goals, and are rewarded for different things than the CISO.
The CISO must partner with all business units and leaders and must connect with every single person in the enterprise to be effective. Perhaps most-importantly, the CISO must also provide an independent view of technology and business risks to top leadership and the board, and there may be times when there is “healthy conflict” with the CIO or other business leaders. This access and independence can be squelched if the CISO is a level or more down in the organization and reports to anyone other than the CEO, CFO, or COO.
Having the CISO at the senior leadership table also means top leadership is directly connected and involved – no more middleman. They hear the perspectives of both the CIO and other business leaders and the CISO on critical points, and they are the decision-makers.
Summary
There is no one right way that fits all situations, and this may not even be feasible in organizations where the resource pool is small and staff must wear multiple hats.
If your organization could potentially benefit from this change, the first step is for the CISO to define and elaborate the pros and cons and the allocation and segregation of responsibilities. Then have a transparent and thoughtful conversation with the business leader where the CISO reports today and develop a plan to jointly discuss with your CEO.
A last point – for this to work, the CISO needs to up his/her game and earn their place at the senior leadership table. They need to come out of the SOC (Security Operations Center) and have the executive presence and communications skills needed to stand on their own, compete for scarce resources, develop partnerships, speak openly about business risks, and make the case for cybersecurity.
My prior organization, which is a Fortune 100 company, made this change almost ten years ago, and it was a game-changer for our cybersecurity program’s visibility, access, and effectiveness. At a time when we are all searching for every edge for our cybersecurity defenses, this is an out-of-the-box concept that warrants consideration.