Is it time to move the CISO from under the CIO?

Must businesses rethink the CISO's place in the corporate hierarchy to better manage their cyber security risk?    

NO, says technical security consultant Edward Farrell

CYBER security is currently taking the same trajectory as the Dot-Com Bubble and not in terms of overvaluation or an impending catastrophic economic bubble, but in terms of understanding our role in organisations and markets, specifically how and where we provide value.

It is for this reason above all else that the CIO should not report to the CISO in the same way a CEO does not report to their lawyers or their CIO.

What do I mean by this?

Information and information technology derive their purpose from the business; without an explicit set of requirements or mission, the role of technology ceases to exist.

For that reason the CIO will implement systems and technologies that support the organisation.

Nested in the information technology requirement is the necessity that information is readily available, free from disclosure or modification, and that a positive assurance can be made as to this state; we now call this requirement cyber security.

The CISO's role is to enable this, however as this activity of security is often an enabling factor on par with technology, organisational leadership will often demand input from the security function.

Fundamental to this question is the assumption that report lines and rigid structures are effective (a view often imposed by MBA graduates who have never had to apply in team work, technical competence, attention to detail or empathy).

I hypothesise that a collaborative approach employing multiple teams and services can be employed to achieve an organisation's desired outcome. Depending on the task at hand or point in time, responsibility/leadership can be delegated to the subject matter expert at the time, which expands beyond the CIO/CISO and may include marketing, communications and data science to name other disciplines within technology that should be on an equal footing.

Before we start jockeying for positions of leadership for empire building, CV padding or to augment our next TED Talk, I think we need to return to a phase often quoted by Major General Marcus Thompson, former head of Information Warfare for the Australian Defence Force: "Cyber security is a team effort.”

Let's find ways for the teams to achieve our desired outcome.

Edward Farrell is director and principal consultant at Mercury Information Security Services

YES, says cyber business owner Peter Maynard

ONE of the best indicators of an organisation’s cyber maturity is who their Chief Information Security Officer (CISO) or equivalent reports to.

If the leaders of the organisation are treating cyber as an IT problem, then their CISO is probably reporting to their CIO. If they’re managing cyber as a business risk, then their CISO is most likely reporting directly to their executive leadership team and the CEO with representation at the board level.

The same applies to small and medium-sized organisations. Owners’ that believe cyber is an IT problem look to their IT or managed service provider to solve the problem. Business owners that are managing cyber security as a business risk are engaging external trusted advisors or virtual CISOs (vCISO) to advise them directly and work with their IT providers and other internal and external teams.

Whilst it’s very clear that managing technology is a central part of managing cyber risk, there’s also the people, the processes, and the governance aspects. Finance, human resources, public relationships, marketing, communications, etc, all play important roles in an organisation’s cyber risk management strategy and defence.

For a CISO to be truly effective they need to be able to have a direct relationship with the CEO and all of the organisation’s departments, including IT. They need to be a trusted advisor empowered to operate without the constraint or compromise of another senior executive or department that may have competing objectives.

I don’t think there would be many CEOs or business owners in Australia who haven’t heard at least five times over the past few years that cyber security is a business risk and not an IT problem. Despite this, most of these organisations still appear to be treating cyber security as an IT problem with their CISO nested under their CIO.

It’s not too surprising then when the primary guidance they receive focuses almost entirely on implementing eight technical controls. These technical controls, whilst a necessary component of a cyber security program, do not work well in the absence of governing processes and appropriate cyber skills required to execute the function.

Perhaps when that guidance matures to a more holistic approach, so too will an organisation's cyber maturity to keep pace with an ever changing and challenging threat and regulatory landscape.

Peter Maynard is co-founder and CEO at CyberMetrix

* This discussion was prompted by a recent article titled, Why CIOs Should Report to CISOs.

AISA ran a poll on its LinkedIn Group asking, Should CIOs report to CISOs now? There were 35 votes, with 63 per cent responding 'Yes' and 37 per cent saying 'No'.