The Chief Information Security Officer (CISO) is the organization’s senior executive in charge of the cybersecurity and the information technology risk management posture of the enterprise. He or she is a seasoned executive who must be equally adept at leading the myriad technology functions associated with protecting the enterprise’s information and data from misuse and compromise, as well as at managing the deeper business aspects of the role, such as hiring, developing, and retaining qualified and competent personnel; orchestrating Governance, Risk, and Compliance (GRC) requirements and mandates; incorporating a risk-conscious and security-aware culture in an enterprise; and preparing and defending the budget associated with protecting the enterprise’s computing infrastructure from harm.
In many organizations, and in the U.S. federal government in particular, the CISO reports to the Chief Information Officer (CIO). Much has been written over the years about the feasibility of this organizational construct. Lately, some very progressive organizations in the Fortune 500 and the Global 1000 have elevated the CISO to a reporting relationship under, variously, the Chief Risk Officer, the Chief Security Officer, the Chief Financial Officer, the General Counsel, or even the Chief Executive Officer. Where the CISO belongs organizationally in any enterprise is largely a function of the roles and responsibilities of the CISO and the manner in which those roles and responsibilities cleave into the operations and mission of the enterprise.
The role of the CISO
For the sake of simplicity, the CIO is responsible for the information technology spectrum of “power, ping and pipe,” and the CISO is responsible for the cybersecurity spectrum of “identify, protect, detect, respond, and recover.” The two responsibilities are inter-related, and in most cases are complementary, but the question boils down to which set of responsibilities should have primacy over the other, or are they co-equal? Added to this analysis is the general CIO and information technology emphasis on the “3 Fs” of features, functionality, and fast, which are anathema to cybersecurity in general. A growing consensus among information technology and C-level executives is that the CISO’s priorities should not be subsumed under the CIO’s priorities.
Viewed another way, having the CISO report to the CIO relegates cybersecurity to an IT security, or technology, function. However, if the CISO reports higher up the chain of command and has a seat at the C-level table, then cybersecurity is solidly embedded into the overall risk management of the enterprise.
Perhaps an examination of how the U.S. federal government approaches the organizational situation can provide additional perspective. The Federal Information Modernization Act (FISMA) or 2014, which replaced the Federal Information Security Management Act of 2002, is a federal law that requires federal agencies to develop, document, and implement an agency-wide program to provide information security for the information technology and systems that support the agency’s mission. FISMA designates departmental and agencies CIOs as the primary official responsible for their organizations’ IT security. Among the CIOs’ duties under FISMA is designating a senior agency information security officer. Therefore, an act of law determines the organizational placement of the CISO under the CIO in the federal government.
Let’s acknowledge a counterargument right there: if federal law were to unshackle the CISO from the CIO’s chain of command, would information security across the federal government be appreciably improved? Could it possibly be any worse than it is now?
Perhaps Congress concluded that no CISO should be allowed to give his or her unvarnished opinion of the true cybersecurity and risk management posture of the agency’s enterprise as long as the top official responsible for IT does not wish that opinion to be disclosed. Under the current structure, the CIO is free to raid the cybersecurity budget to fund any other priority, or the CIO may feel inclined to overlook a powerful peer’s security deficiencies, or the CIO may disregard security recommendations that interfere with ‘really neat’ functionality. By placing the CIO in a position of superiority over the CISO in federal agencies, the CISO is marching to the CIO’s orders and working off the CIO’s list of priorities, not to mention attempting to receive his or her performance bonus that the CIO must approve. If that’s the situation that FISMA intended, then Congress should simply have given the security job, and the corresponding accountability, to the CIO.
Risk management and the CISO
Back to the commercial world, where there is no legislative mandate, and to the original question about where the CISO should be organizationally positioned. It depends. It depends on many factors, not the least of which is the enterprise’s perspective on risk management. If overall risk management – including financial, programmatic, human, facilities, and information technology – is embedded into the very soul and culture of the organization, with risk appetite and risk tolerance decisions continuously on the radar of the senior executives and the board of directors, then the CISO cannot realistically be buried under the CIO. If, on the other hand, the organization views information technology as its lifeblood and considers the protection of those information technology resources to be the totality of its cybersecurity obligations to its stakeholders, then the CIO should have the CISO within his or her span of control. There is no one-size-fits-all answer, although the prevailing trend is to unshackle the CISO from the CIO.
In the end, it boils down to how an organization approaches its risk management diligence. In most cases where organizations place the CISO in a subordinate role to the CIO, the result is over-leveraging towards cost management as opposed to risk management. In those organizations where the CISO is elevated to a C-level position at least co-equal with the CIO, then risk is more likely to be embedded in the culture of the organization.
Learn more about the Cisco Secure
CISO Connections program
We’d love to hear what you think. Ask a Question, Comment Below, and Stay Connected with Cisco Secure on social!
Cisco Secure Social Channels
Instagram
Facebook
Twitter
LinkedIn
Putting the C in front changes the role in the fisma law imho.
CISO has a C level role and responsibility to the board of directors, unvarnished by the CIO.
Nice thoughts…. I think organisation should also know different between Information Security or Cybersecurity and IT Security. Must ISOs or CISOs under control of CIOs largely operate as IT Security Personnel. This had raised lots of concerns such as Conflict of interest. According 3-Lines of Defence model, CIO should be in First Line while CISO should be in the Second Line of defence.
Absolutely agreed with Daniel.
If organizations want to seriously improve on their security posture and reduce risks than CISOs have to report directly to the CEO and should have their own budget.
Amazing thoughts.
Some of the financial regulators in India have started saying that CISO’s reporting should be to Risk Mgmt Function.
Cyber Security risks are different from other Operational risks and Three Lines of Function should be adopted by the organizations as a governance strategy.
CISO’s reporting structure to CRO or CEO and presence of CISO in Board meetings should come from laws and regulations
All CEOs, CROs, CIOs …should welcome and whole heartedly support the CISOs…??♂️
As a CIO I have personally experienced having the CISO report to me and having the CISO report to other senior executives. As you point out, it can be awkward having the CISO highlight faults in IT when they report to the CIO. I found myself asking “do you have to say it that way?” at times. The downside of having them report outside IT is the temptation to play the blame game – IT is at fault for every flaw. It also encourages the CISO to obsess over risk and ignore the fact that some risk is acceptable- if properly vetted and acknowledged by leadership. Regardless of who the CISO reports to, the critical factor for success is a good relationship between the CIO and the CISO. A strong working relationship will overcome a flawed org chart every time!