Where and to Whom Should the CISO Report?
We begin our book with one of the most basic and fundamental issues facing cybersecurity today, namely the reporting structure for CISOs. As our authors will note, this reporting structure has a tremendous impact on the efficacy of the organization’s security operations. This discussion highlights the differences between traditional, IT-focused views of cybersecurity and those that are evolving to view cybersecurity as a risk-management function.
While there are differences in approach and perspective, our authors collectively emphasize how important it is for the CISO to know their organization’s industry, regulatory requirements, and lines of business. This organizational context has important implications for the security operations’ staffing levels and budget.
Bill Bonney highlights how organizations are demanding more of their CISOs and the fact that CISOs are expected to expand upon their deep technical knowledge to also include domain expertise in the areas of risk management and business operations. His analysis highlights how the balance between technical skills and business acumen is frequently influenced by the level of maturity of the organization.
Matt Stamper suggests that the reporting relationship for the CISO reflects how the organization views risk. Organizations that take a more expansive view of cybersecurity and risk will likely have a CISO reporting outside of traditional IT, generally reporting to the CEO or CFO. His perspective is that there are also inherent challenges in having a CISO report into IT. Under these scenarios, the CISO is placed in the unenviable position of having to judge the work of their boss, frequently the CIO.
Gary Hayslip offers a pragmatic view of where CISOs should report depending upon the industry context of the organization. What is clearly emphasized, and all the authors agree on this point, is that organizations that have a designated security officer – a CISO – will have better security outcomes than those who have not formalized this role within their organization. Gary highlights how critical it is for the CISO to truly know the organization – its people, its data, its industry, its applications, and its infrastructure. As Gary notes, “cyber doesn’t exist in a vacuum.”
Some of the questions the authors used to frame their thoughts for this chapter include:
♦ Who should I (the CISO) report to?
♦ How and where should the CISO and security program fit within the organization’s structure?
♦ How and why do I see this changing?
Report to and Organizational Structure – Bonney
We often think of reporting relationships and organizational structures as fixed. You get hired to do a job, reporting to a particular person in a department, business unit, or functional group that has a certain structure, and you learn to operate within those parameters. But as cybersecurity risks have become high-profile news-generating events, the CISO role has had to evolve. With that higher profile you sometimes get greater latitude to adapt to the changing threats, but you almost always inherit greater expectations that the approach taken by you, the CISO, on any given issue will be appropriate from a C-level perspective, not just technically correct.
What does that mean? It means that organizations are asking more from the CISO. Besides the technical standards and regulatory requirements that you’ve mastered, you are expected to know the products, the business, your customers, and the market in which your organization competes. You are also expected to act in a way that is best for the organization, placing the needs of the organization before the needs of your career or any other personal outcome. That’s called a “fiduciary responsibility.” If you need to change the structure of the information security group to meet the organization’s needs, do it. If you should be placed in a different part of the organization to best serve its information security needs, it’s up to you to determine that and advocate for it.
With that as backdrop, let’s look at all three parts of this question: To whom should I report? How should the organization be structured? How should I expect that to change over time? We’ll look at each of these questions through the lens of a C-level executive making the determination about what is right for the organization. We’ll assume that whether you, the CISO, were hired at the C-level or not, you wish to and are expected to contribute as if you were a C-level executive.
Three Criteria for Deciding
The three criteria I’m going to apply are organizational maturity, business domain, and skill alignment.
By organizational maturity, in this context I mean specifically how experienced is the organization in dealing with the types of risks that threaten the continuity of its lines of business? Does it build in operational resilience to account for disasters and disruptions, develop continuity plans to recover normal operations, and communicate those plans to employees, key partners, and customers? Does it practice responding so that people throughout the organization, including within the customer and partner eco-systems, know what to do when disruption or disaster strikes?
By business domain, in this context I mean specifically what is the nature of its external environment? Does the organization operate in a highly regulated environment? Is the market segment in which it operates subject to numerous security or operational threats? Is it in a highly technical arena?
And finally, by skill alignment, in this context I mean specifically how do the skillsets within the Information Security department align with the expertise in the rest of the organization? Which business units or functional groups are responsible for business continuity? Where does responsibility for risk management lie? Is Information Technology managed centrally, regionally, or within business units? Where do the CIO and CTO report? Given this environment, what is the appropriate balance between technical skills and business acumen for the CISO?
Let’s start with organizational maturity. A key factor in your thinking should be that for many organizations, the CISO needs to be the “Chief Resilience Officer.” This is especially true for those organizations without significant muscle memory in building and executing continuity plans. If the organization does not have much experience in this area, you should give strong consideration to having the CISO report to the Chief Executive Officer (CEO). In this environment, the organization is more likely to experience a devastating cyber-attack than a physical threat, and it is not likely to be ready for either without your help.
As the CISO, and informally the Chief Resilience Officer, it is your job to help the organization identify the key assets that must be recovered for the organization to continue as a viable entity and determine how to ensure that outcome. You’ll drive the creation of action plans that will be executed in the event of a crippling cyber-attack. To do this successfully you’ll need the full, active support of the entire executive team. Head nods and lip service are not sufficient. You’ll need to answer for yourself “at what reporting level am I likely to get that support?” and advocate for that outcome.
The breadth of impact that a cyber event would have and the number of touch points that cyber-preparedness activity is likely to require throughout such an organization would be substantial. For that reason, it is likely that a CISO would be less effective as a sub-function of either Finance (reporting to the Chief Financial Officer (CFO)) or Information Technology (reporting to the Chief Information Officer (CIO)), even though these leaders typically own risk and technology, respectively. Nor is it likely that a Chief Operating Officer (COO) will have sufficient breadth of responsibility in this case.
If the organization has a mature process for business continuity, then it is imperative that the CISO is closely aligned with whoever owns business continuity. Ideally, you’ll work with these key individuals to improve the existing plans to include recovering from a cyber-attack. At a minimum, you will need to share communication and escalation processes. Hopefully this will be a member of the C-suite so you can integrate with the team charged with keeping the company in business while the disaster, attack, or disruption is abated. If continuity planning is assigned but is too far removed from a C-level executive, you’ll need to help the organization re-think its position and elevate that function or subsume it into your department.
Finally, if the organization is more mature and has high-functioning, independent business units that tend not to rely on centralized back-office functions, you should consider using more embedded resources to support the business units directly. While you’re still likely to have a greater impact by centralizing infrastructure protection, incident response, and governance functions, embedding application security business partners directly into the business’ technical and product teams may improve their ability to flex and keep up with changing business requirements.