Debate continues over where CISOs sit in the C-suite

It’s been customary for CISOs to report to CIOs, but a recent MIT panel raised questions about the viability of this C-suite model.

Pundits scrutinizing senior executive dynamics have opined for years about to whom the CISO should report. Some say the CISO should report to only the CIO because the top security role is inextricably linked to IT. Others say this is a terrible idea because the CISO's must lock down the corporate network while the CIO is challenged to innovate. A CISO panel convened at the MIT Sloan CIO Symposium last month rekindled this longstanding C-suite debate.

MIT professor and panel moderator Stuart Madnick asked the CISOs to whom they believed they should report. State Street CISO Mark Morrison suggested that the common model of security chiefs reporting to IT leaders is no longer tenable. "I think there needs to be some independence of the CISO from the IT organization,” said Morrison, who provides information security for a financial services company with $30 trillion under custody.

Cybersecurity fears have CISO role under heavy scrutiny

Corporate boards have made it their business to become well-versed in cybersecurity, following an onslaught of hack attacks, breaches and other pernicious scams. Boards are calling for CISOs to join the CIO to provide joint updates, ostensibly in the interest of better governance and oversight. The increased focus on corporate defense is making it harder for CISOs who report to CIOs to do their jobs, raising the possibility that it might be time to rethink to security chiefs reporting structure -- at least according Morrison and some of his panel peers.

Morrison has dual reporting lines to CIO Antoine Shagoury and the board, whose technology committee he meets with nine times a year, accompanied by the CIO. Inevitably the board asks Morrison to report on cyber risk, including what additional tools they should invest in to improve protection. That’s when things start to get dicey as the board asks him if he’s getting enough support and money to do everything he needs to do. Sitting next to his CIO, “it’s hard to give a very honest answer to that [question],” Morrison said.

The tension ratchets up when Morrison outlines the company’s vulnerabilities and the board asks him why he isn't "moving faster" to fix them. "My response is, that is not a question for me to answer that's a question for the CIO because I'm not responsible for patching -- that's the operational element,” Morrison said. “So we run into a lot of these conflicts that don't really get resolved."

Sam Phillips, panelist and CISO for Samsung Business Services, said that it can be tough for CISOs to get the money, talent or other necessary resources to drive security programs while working under the CIO. "The CISO should be an independent body doing governance, risk and compliance in addition to validation and implementation of the security program," Phillips said. He suggested CISO might be better off reporting to chief legal or chief risk officers, who report to audit and board committees.

Why the CIO should remain under IT

Despite all the heady talk about GRC, CISOs still toil in a highly technical role; those who seek and win independence from IT risk sacrificing credibility with their peers. Shumard and Associates principal consultant Craig Shumard told that the CISO is better placed in the IT organization than not because as much as 80 percent of the role is technical in nature.

"It's a lot easier to get the attention, support and respect of IT people when you're in the IT organization," said Shumard, who maintained both operations and governance control while working for four CIOs during a 10-year career as CISO of insurance provider Cigna. "CISOs reporting to a CIO have both an operational as well as a governance responsibility and that makes them much more effective."

craig shumard

Craig Shumard, principal consultant at Shumard and Associates.

Having operational and governance control over cybersecurity afforded Shumard the latitude to be creative. He says he gave each business unit, including IT, security scorecards to rate how they were performing. "When those score cards came out and the senior management saw them, it wasn't me responding to why patches weren't done, it was the people who owned it," Shumard says.

Indeed, not every CISO on the MIT panel said reporting to IT presents a conflict of interest. Roota Almeida, head of information security for Delta Dental of New Jersey says she has reported to CIOs in two of her CISO jobs, including her current position. But she said that organizational culture dictates whether the CISO-CIO reporting structure works. "In a different industry, a different organization, maybe I should be reporting to the chief legal officer," Almeida said.

Changing dynamics across many industries may render the discussion moot.

With breaches continuing at a rapid clip and the attack surface widening thanks to the Internet of Things, cybersecurity will increasingly be shunted away from IT, predicted R. David Moon, CEO of incident response consultancy TriPath Media. He said companies must bolster their defenses without overburdening IT departments. That creates more opportunities for CISOs to grab governance and operational oversight while freeing the CIO to focus on innovation. “We don’t see a lot of CIOs who want to be responsible for the GPS’ in truck fleets, or smart doors and thermostats,” Moon said.

Join the CSO newsletter!

Error: Please check your email address.

More about DeltaMITSamsung

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Clint Boulton

Latest Videos

  • 150x50

    CSO Webinar: Will your data protection strategy be enough when disaster strikes?

    Speakers: - Paul O’Connor, Engagement leader - Performance Audit Group, Victorian Auditor-General’s Office (VAGO) - Nigel Phair, Managing Director, Centre for Internet Safety - Joshua Stenhouse, Technical Evangelist, Zerto - Anthony Caruana, CSO MC & Moderator

    Play Video

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

More videos

Blog Posts

Market Place