Opinions about CISO reporting structure, or where the CISO on the org chart should sit, has fallen into a few camps: there are those who sit firmly in the CIO camp, arguing that CISOs should report to the Chief Information Officer because cybersecurity only ever belongs in the IT functions realm. There are those that believe that a CIO's productivity mandate could conflict with the CISO's need to mitigate risk, and therefore the CISO should always and only report to the CEO. And then there are those who believe the allowable wiggle room comes from the current structure and needs of your organization.
Here's how the actual CISO reporting structure breaks down in practice: "According to a recent report by Cloud Security Alliance and Skyhigh Networks, 61% of organizations have a CISO. Of that number, 42% report to the CIO, 32% report to the CEO and 26% report to other executives, including the general counsel and the CFO."
Did you know that 61% of orgs have a CISO? Do you? Click to tweet
So who do we think the CISO should report to, and why?
Choosing the Right CISO Reporting Structure
Devi Momot, Twinstate's CEO, has some experience in this field, and a strong opinion that doesn't give all the power to one camp or the other.
"My belief is that you need separation between the head of IT and the head of security," Momot says. "If the head of IT reports up through the CFO, then the CISO should report to the CEO."
Why? To start, there should never be a chance for collusion among your ranks. Whoever the CISO reports to needs to be able to have conversations about priority at the topmost levels of the organization, Momot explains.
"In some organizations, the CISO reports to the board of directors. There's no hard and fast rule, but the recommendation is to ensure that the individual responsible for information security has a direct line of communication to the senior leadership who can make the decision about A or B, or maybe act as a force multiplier for both A and B," she says.
It's important to recognize that not everyone has the opportunity to know about making those major decisions or to keep current on the threat landscape. If you don't have a CISO or the structure to support an advanced IT team, it may be time to lean on outside resources for consulting. After all, your IT people just want to keep things working, and can easily get in the weeds with day-to-day stuff. That's why, Momot says, building your hiring structure correctly is a good way to start understanding the role of the CISO in your organization. That means creating a structure that supports learning opportunities, increased responsibility levels and openness to expert advice when expert support is essential.
Why Structure Dysfunction Can Limit Security Health
"In a lot of organizations there's an inherent dysfunction. The CEO and CXO generally just trust the IT administrator with everything. They also trust that they're able to keep up," Momot says.
While the IT people take that responsibility seriously, and are on staff in order to protect and serve their organization with good intentions, they still need help.
"To be effective at security and privacy, people need to be immersed," says Momot. At most organizations — especially small and medium businesses — the embedded IT staff are committed to taking care of the everyday tasks. They aren't able to go take courses in security, attend security conferences or obtain certifications. So you could be missing huge elements of safety just because your staff doesn't have the time to devote to keeping up.
To be effective at security and privacy, people need to be immersed. Click to tweet
Momot's solution: Overstaff. Overstaff by whatever percentage for whatever time frame (e.g. 50 percent for six months) that will allow everyone to take time out of the office to keep up with education and awareness. You might also choose to add resources from outside providers to augment your team's skills. Another rule to live by: Every IT team needs about eight individuals to be well-rounded. The complexity is just that great these days.
If your structure doesn't allow for that, consider what you're missing. If you can't get a dedicated CISO on your team right away, and develop the reporting structure that separates him or her from the IT admin's own reporting structure, go back to the idea of outsourcing or hiring consulting services. Get the staff you need, in the structure that's appropriate, and you'll see the security benefits abound.
Originally published on 12/06/2016