Nearly five million data records are lost or stolen worldwide every single day according to the Breach Level Index. That’s a staggering 58 records every second. It’s no wonder, then, that cybersecurity risk management is now a major strategic priority for organisations the world over, and one that leadership teams are increasingly collaborating to defend against.
Which begs the question: where should the chief information security officer (CISO) sit in the leadership team? There are several options, and a savvy organisation will test out a few different models to see which suits their structure before deciding. But, before contemplating whether to have your CISO report into your chief information officer (CIO) or chief risk officer (CRO) or anything else in between, it’s first important to understand the pros and cons of each.
Historically, the CISO has reported to the CIO in an organisation and this is often still the case today. Given that the CIO will have the best overall understanding of cybersecurity – and that the CISO is expected to secure IT systems and data under the umbrella of IT – it makes sense for this to be the case.
It’s important to remember, however, that, because their agendas are so closely aligned, CIOs often have competing priorities that may affect the CISO’s cybersecurity agenda. For instance, when it comes to budget, the CIO may prioritise infrastructure and development over the CISO’s security priorities.
Furthermore, as employee training outside of the IT department becomes more of a priority for CISOs – so that employees can stay abreast of new technologies being used in-house, as well as basic cybersecurity procedures – a CISO’s priorities quickly fall out of the CIO’s remit and into other departments.
We’ve seen a move across to this leadership model in the last year or so – particularly when it comes to organisations in the financial services industry. While it’s certainly true that the CRO tends not to report into the CEO (and so arguably doesn’t have as much pull as other members of the C-suite), a CISO is, in many ways, best placed in the risk team.
After all, by virtue of the fact that a CRO team addresses risk, and that cybersecurity poses a very specific risk to all organisations, underneath the CRO is a good option. Businesses relying on greater insight into enterprise risks should recognise cyber risk is a big part of this, and a CISO therefore would need to be consulted.
When it comes to placing your CISO below the chief financial officer (CFO), the most significant benefit is that it means the CISO has some serious sway when it comes to getting financial backing from the board. When it comes to CFO making critical decisions about cybersecurity spending, it makes sense to position them next to the CISO who knows the most about how and where spending should be committed.
However, proving to the CFO that they will see a return on their investment in cybersecurity, and successfully returning on that investment, can often be an uphill climb for any CISO.
A CISO reporting into a chief legal officer (CLO)? It’s certainly more unusual, but not beyond the realms of possibility and rationale. After all, if an organisation is to truly accept the risks – not just financial, but also reputational – involved with cybersecurity and any data breach, the legal team should always be involved. Especially in the wake of the general data protection regulation (GDPR) being implemented earlier this year; legal officers, of course, handle all issues related to governance and compliance.
The negatives? Well, cybersecurity isn’t a legal team’s priority as such so when it comes to dealing with the CISO, it’s likely to be on a much more episodic and inconsistent basis than they might like.
The CISO reporting into the CEO directly, however logical, is still rare. Unless the organisation in question is particularly tech savvy (e.g. a tech company), they’re unlikely to have placed the importance of cybersecurity at such a high level yet. Nevertheless, I’d recommend it.
Reporting to the CEO maintains the independence of the CISO role and can enable a fuller, more open discussion with all the senior stakeholders. Yet adding the CISO to the CEOs direct reports runs against a trend of CEOs seeking to reduce rather than increase the number of principals who directly report to them. CEOs want less not more distraction from their focus on strategy an operational leadership.
This perhaps explains why those predictions of CISOs reporting to CEOs haven’t yet been realised. Many CEOs actually may prefer their CISO reporting into the CIO who can then filter out relevant information.
Several companies have considered this, and it is worth testing out whether having the CISO report directly to the board of directors or one of its committees is successful.
The board’s prime responsibility is to supervise management. As organisations become more digital the board needs to know the unvarnished truth of an organisation’s cyber performance. A CISO who directly reports to the board can facilitate the process of exchanging critical information that isn’t sanitised. These sessions also could allow the board to get discrete cyber information outside of the main board meetings when their attention is drowned out by a plethora of other issues. A major challenge with this model is whether the board contains enough knowledge of cybersecurity issues to make this engagement meaningful enough.
There’s no right or wrong way to fit the CISO into an organisation, so long as their recommendations are heard by the entire company. Cybersecurity is relevant to each and every department, and as long as they aren’t in any way siloed, the CISO will have a place in any part of the company.
Greg Day, VP & CSO, EMEA, Palo Alto Networks
Image Credit: Totojang1977 / Shutterstock