In this issue of the President's Letter, Jeff discusses:
To Whom Should the Chief Information Security Officer (CISO) Report in the Organization?
President, JB Homer Associates
One of the most sought-after positions today is in Cybersecurity. We have found in our most recent CISO searches that it is the Board's desire and need to increase cybersecurity maturity and to demonstrate compliance to its regulators and shareholders. The CISO's access to, and influence on, an organization is now just as much, if not more important as their ability to be the IT Security subject-matter-expert and build a leadership team.
Historically, it has made sense for CISO's to report to CIO's as at the core both are technical in nature, and are in synch with IT Security, IT Infrastructure, which includes network and operations, and the delivery of secure new applications. However, senior leaders and their CIO's are under increasing pressure to drive new & emerging technologies and transformation. As a result, there has been a tendency for them to gravitate toward shiny-object syndrome; new technologies are introduced, but these may not adhere to the IT Risk & Compliance posture of the company or serve a purposeful business value and outcome.
CISO's need to be free of any conflict of interests and be able to influence the business and partner with the technology rank and file to help protect and mitigate the organization from both operational and reputational Risk. The CISO should have the authority to veto, delay or adopt the release of new applications, and to decommission technologies if they deem these to make the company more vulnerable to Risk. As the technology environment evolves in an organization, the CISO should be the advocate for cybersecurity enterprise-wide, as well as the security face to the Board and to all regulatory agencies.
This is all leading to a shift in the CISO's reporting line. To whom should the CISO report in the organization? (e.g. the CEO, COO, CRO). This can demonstrate how the role is changing from security expert to business strategist with combined responsibilities for IT Security and Risk Management. However, in my opinion, the best reporting line for the CISO is where he/she has the best visibility to work as an equal partner with the CIO around all technology risks and be able to influence the leadership team and the Board to help mitigate enterprise-wide exposure to Risk in any form.