Sunday, June 15, 2014

Getting Wrapped Around the CISO Reporting Structure Axle

CISOs are in the lime-light right now as the parade of data breaches marches on. One of the big topics is the issue of reporting structures. Where should the CISO report to? Should the Senior Information Security leader be a company officer? All valid questions, and more.

Answer this for yourself-

The CISO should report to...

  1. CTO
  2. CIO
  3. CFO
  4. CRO/Chief Legal Counsel
  5. CEO
What did you choose? Which ever you picked, you're right, and wrong. The real answer is secret option 6 - "What ever makes the most sense in the organization". If you're ever in the position of being interviewed for a CISO role and someone asks you where the CISO should report to, answer them by asking to talk to the company executives before you decide. That is the only answer that makes any sense.

Articles like this one in CSO Online (Target Top security officer reporting to CIO seen as a mistake) do little besides creating more tension between those responsible for an enterprise's leadership and operational well-being. Does it make sense for the CISO to report to the CIO - of course it does. Does it make sense at Target? I don't know, I don't know the CIO well enough to say for sure whether he will weigh security issues seriously against operational responsibilities. I can tell you that he would have to be an absolute fool to disregard security given the recent spate of events there.

Recently on the Down the Rabbithole Podcast we interviewed Joe Riesberg who is the CIO at Drake University and former CISO for a world-wide financial conglomerate. Joe talked about the partnership which must exist between the CIO and CISO, and how the CIO must have at least a fundamental understanding and healthy respect for security.

So where do I believe the CISO should report to, in a healthy enterprise which understands the balance between keeping the business supported and innovative and keeping the business reasonably secured? The real answer is - it depends. My advice, stop arguing over where the CISO should report and start thinking about how the CISO can better understand and fit into the business, and partner with the rest of enterprise leadership to build a strong culture of security. We don't need any more drama or adversaries in security - we have enough of that already.


Unknown said...

Just 1 point I'll make. If the CISO reports to the CIO, that could present a potential conflict. In that structure the CISO may be tentative about ratting out the boss. But, to your point if everyone understands their role it shouldn't matter much.

Rafal Los said...

Richard - I can understand the conflict of interest... I've been in an awkward position where the CISO reported to the CTO (who was in charge of "operations") which was a guaranteed conflict of interest and we lived that hell every day. I'm curious if the conflict of interest with the CIO (real or perceived) is more because there is a gap in communication, or the CIO is simply not incentivised to maintain good security hygiene? Maybe this starts to change now?

Unknown said...

Rafal, you are right. The CISO needs to make a judgement call and he needs to be empowered by the board to do so.

Putting the CISO in the position of having a single reporting path, puts the CISO in jeopardy.