We often think of reporting relationships and organizational structures as fixed. You get hired to do a job, reporting to a particular person in a department, business unit, or functional group that has a certain structure, and you learn to operate within those parameters. But as cybersecurity risks have become high-profile news-generating events, the CISO role has had to evolve. With that higher profile you sometimes get greater latitude to adapt to the changing threats, but you almost always inherit greater expectations that the approach taken by you, the CISO, on any given issue will be appropriate from a C-level perspective, not just technically correct.
What does that mean? It means that organizations are asking more from the CISO. Besides the technical standards and regulatory requirements that you’ve mastered, you are expected to know the products, the business, your customers, and the market in which your organization competes. You are also expected to act in a way that is best for the organization, placing the needs of the organization before the needs of your career or any other personal outcome. That’s called a “fiduciary responsibility.” If you need to change the structure of the information security group to meet the organization’s needs, do it. If you should be placed in a different part of the organization to best serve its information security needs, it’s up to you to determine that and advocate for it.
With that as backdrop, let’s look at all three parts of this question: To whom should I report? How should the organization be structured? How should I expect that to change over time? We’ll look at each of these questions through the lens of a C-level executive making the determination about what is right for the organization. We’ll assume that whether you, the CISO, were hired at the C-level or not, you wish to and are expected to contribute as if you were a C-level executive.
Three Criteria for Deciding
The three criteria I’m going to apply are organizational maturity, business domain, and skill alignment.
By organizational maturity, in this context I mean specifically how experienced is the organization in dealing with the types of risks that threaten the continuity of its lines of business? Does it build in operational resilience to account for disasters and disruptions, develop continuity plans to recover normal operations, and communicate those plans to employees, key partners, and customers? Does it practice responding so that people throughout the organization, including within the customer and partner eco-systems, know what to do when disruption or disaster strikes?
By business domain, in this context I mean specifically what is the nature of its external environment? Does the organization operate in a highly regulated environment? Is the market segment in which it operates subject to numerous security or operational threats? Is it in a highly technical arena?
And finally, by skill alignment, in this context I mean specifically how do the skillsets within the Information Security department align with the expertise in the rest of the organization? Which business units or functional groups are responsible for business continuity? Where does responsibility for risk management lie? Is Information Technology managed centrally, regionally, or within business units? Where do the CIO and CTO report? Given this environment, what is the appropriate balance between technical skills and business acumen for the CISO?
Let’s start with organizational maturity. A key factor in your thinking should be that for many organizations, the CISO needs to be the “Chief Resilience Officer.” This is especially true for those organizations without significant muscle memory in building and executing continuity plans. If the organization does not have much experience in this area, you should give strong consideration to having the CISO report to the Chief Executive Officer (CEO). In this environment, the organization is more likely to experience a devastating cyber-attack than a physical threat, and it is not likely to be ready for either without your help.
As the CISO, and informally the Chief Resilience Officer, it is your job to help the organization identify the key assets that must be recovered for the organization to continue as a viable entity and determine how to ensure that outcome. You’ll drive the creation of action plans that will be executed in the event of a crippling cyber-attack. To do this successfully you’ll need the full, active support of the entire executive team. Head nods and lip service are not sufficient. You’ll need to answer for yourself “at what reporting level am I likely to get that support?” and advocate for that outcome.
The breadth of impact that a cyber event would have and the number of touch points that cyber-preparedness activity is likely to require throughout such an organization would be substantial. For that reason, it is likely that a CISO would be less effective as a sub-function of either Finance (reporting to the Chief Financial Officer (CFO)) or Information Technology (reporting to the Chief Information Officer (CIO)), even though these leaders typically own risk and technology, respectively. Nor is it likely that a Chief Operating Officer (COO) will have sufficient breadth of responsibility in this case.
If the organization has a mature process for business continuity, then it is imperative that the CISO is closely aligned with whoever owns business continuity. Ideally, you’ll work with these key individuals to improve the existing plans to include recovering from a cyber-attack. At a minimum, you will need to share communication and escalation processes. Hopefully this will be a member of the C-suite so you can integrate with the team charged with keeping the company in business while the disaster, attack, or disruption is abated. If continuity planning is assigned but is too far removed from a C-level executive, you’ll need to help the organization re-think its position and elevate that function or subsume it into your department.
Finally, if the organization is more mature and has high-functioning, independent business units that tend not to rely on centralized back-office functions, you should consider using more embedded resources to support the business units directly. While you’re still likely to have a greater impact by centralizing infrastructure protection, incident response, and governance functions, embedding application security business partners directly into the business’ technical and product teams may improve their ability to flex and keep up with changing business requirements.
I listed three factors above: the regulatory environment, threat environment, and technical environment. For organizations under significant regulatory oversight…
Copyright © 2016 CISO DRG JV – All Rights Reserved.