CISOs, it’s time to bury the hatchet with your CIO

The Chief Information Security Officer and the Chief Information Officer can be awkward bedfellows. We look at the how the two execs can work better together.

Historically, the head of security (CISO) reporting into the head of IT (CIO) has made a lot of sense.

Both departments are – at their core – technical disciplines, and as such there is a need for the two to be in regular contact. They need to overlap on network infrastructure, information security, and IT compliance, not to mention overseeing the release of safe, bug-free code and the delivery of secure products.

Yet this relationship is often lambasted by those working in the InfoSec community. Some describe it as ‘adversarial’ – with two very different people trying to achieve different objectives.

CIOs will look to bring new business applications online, to maintain service-level agreements, and ensure that IT services are available for all users. Indeed, a CIO’s bonuses are often tied to KPIs around these very principles.

It is a different ballgame for security executives, however. With the ultimate goal of reducing IT risk, they have to have the authority to delay application deployment or even to take IT resources offline if they consider these to make the firm more vulnerable to an attack.

There are also different pressures – and salaries. With security an emerging profession, there are usually few to no KPIs, while the nascent market and the often-publicized skills shortage mean that some CISOs can earn anywhere between $500,000 and $2 million. By comparison, Robert Half Technology reports that average U.S. CIO salaries are somewhere between $157,000 and $262,000.

Perhaps it’s no surprise then that there can be complications. Some say that the CISO reporting into the CIO means that risk management takes a back seat to operations. Others argue that this is reflected in the budgets, with InfoSec generally taking a tiny 3% to 5% of overall the IT budget.

This isn’t just the grumbling of a few; there is also evidence to suggest that a disengaged or uninterested CIO can negatively impact the security of the business.

A 2014 report from PwC found that CISOs reporting to CIOs have 14 percent more downtime due to incidents than those that don’t. The same report found that organizations with the same structure see 46 percent higher financial losses from a breach than companies with an alternative arrangement.

Another study, carried out by Carbon Black, found that 28 percent of CIOs (in the UK at least) were unconcerned at being breached.

“I visit organizations as a trouble-shooter\interim CISO consultant and one of the first issues I see is a lack of understanding of the CISO and CIO role, a lack of clear reporting and stakeholder engagement,” consultant and former Fujitsu CISO Jimmy Bashir tells CSO Online.

[ RELATED: CIOs vs. CISOs: Pros and cons of an 'adversarial' relationship ]

“This has always led to the CIO thinking that the CISO is just one of many sub-issues to manage… Some CIOs don't even believe a CISO is needed as they have not had a breach.”

This troubled relationship – which coincides with an increasing willingness to push security up the business agenda – has seen some organizations try and change reporting lines. There is interest, if limited uptake, in CISOs reporting to the CFO for budgeting reasons, as well as interest in legal counsels and Chief Risk Officers.

Most CISOs would ultimately like a direct link to the CEO, and analysts believe this could be the answer; IDC predicts that 75 percent of Chief Security Officers and CISOs will be reporting directly to the CEO by 2018.

A CISO’s complaints

There is some validity to CISOs’ complaints around them reporting to the CIO.

For instance, there are concerns that, if security concerns threaten to stall or stop an IT project, the CIO could overrule it.

The CIO might also be reluctant to approve of security projects which hinder IT productivity, and he could too drop such a project if the money could be spent on IT.

There has been the suggestion too that CIOs don’t take note of the CISO – and that is a concern in the new Internet of Things era where previously unconnected enterprise goods are now being connected to the network and collecting data.

At an MIT security roundtable earlier this year, Samsung Business Services CISO Sam Philips said that IT leaders are increasingly guilty of pushing out business tools without completely understanding the business risks and requirements.

Both he and Mark Morrison – CISO of financial services firm State Street, called for security chiefs to operate independently from IT.

Morrison explained that the State Street job was his fifth stint as a chief security officer, and that he had always reported to the CIO. But at State Street, Morrison also reports directly to the board.

“I’m the only standing agenda item,” he said of board meetings. Yet at every board meeting, he fields the same questions on risks, such as ‘how serious are they?’ and ‘does he have enough resources to do his job?’

“What happens is this natural tension between operations and cybersecurity, and there’s only so much money,” he said, his comments reported by TechTarget. “There’s only so much time and prioritization that can be allocated.”

He admits that the reporting structure makes it “hard to give a very honest answer.”

A CIO’s complaints

This dissatisfaction isn’t one-sided. CIOs can feel that CSO/CISOs slow down innovation cycles, and spread the fear factor of data breaches and cyber-criminals.

One CIO, speaking anonymously to CSO Online earlier this year, previously fired his CISO, after accusing him of “talking the talk, but not walking the walk.”

The CIO, working for a large European transport company, says that weak CISOs “create real fear factor for boards and senior executives” and are unable to communicate properly with the business.

“It’s a constant battle,” he told CSO, continuing that poor CISOs act as a blocker, fail to present solutions and engage in thought leadership.

He admits the reporting line conversation is a “big debate”, and says that risk and information security could eventually fall under the CRO or legal counsel.

CISOs, he says, must do the following:

  1. “Definitely know your scope, and your boundaries, plus where you can break [the business] and where you can add value."
  2.  “Understand the business and be clear what the priorities of the business are.”
  3. “Try and make it real for executives. If they understand it and it challenges them, then you're less likely to be sacked!”

How to improve the relationship?

For all of this, there is industry consensus that the relationship can – and often does - work.

“The relationship with the CIO (my boss) is very strong,” said Quentyn Taylor, director of information security at Canon Europe. “We both have a shared vision and both feel comfortable knowing that we can freely share and make recommendations in a culture of respect.  

Dane Warren, CISO at international product testing company Intertek adds: “In my experience, it has always been a good relationship.”

This said, Taylor admits that communication and sharing common goals are essential to the relationship being a success.

He speaks of security being about achieving a “shared business vision”, and calls for both CISOs and CIOs to share in “open communication and shared goals, remembering that they have the same overall objectives”.

It is also about both being business-enablers.

“Where I have set-up the reporting structure for the organization, the CIO and the CISO work well together with the business and become-enablers, rather than the old approach of 'you’re not allowed to do that',” adds Bashir.

“The CIO has to understand that the CISO is a support function to their role and not feel threatened that their judgement is being called into question or that they are going to be blamed for any issues found. When the CIO embraces the CISO, the relationship works well.”

So when do they fail?

Taylor says that relationships fall down “when there isn’t a culture of respect and trust”.

“This means that the InfoSec department starts to take a negative attitude to risk and, believing that they will be held responsible, start to become massively risk adverse. This is corrosive as it’s not understood and isolates the InfoSec team still further.”

Bashir believes this can be overcome through better communication between departments.

“Effective engagement is based on clear and concise communication, this goes for the whole business and not just the CIO and CISO relationship.

Intertek’s Warren agrees. “Ensure that the security message is relevant for the business, and that the business value is being demonstrated.”

Join the CSO newsletter!

Error: Please check your email address.

More about CanonCarbon BlackCSOMITPhilipsRobert HalfSamsungTechnologyTechTarget

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by By Doug Drinkwater

Latest Videos

  • 150x50

    CSO Webinar: Will your data protection strategy be enough when disaster strikes?

    Speakers: - Paul O’Connor, Engagement leader - Performance Audit Group, Victorian Auditor-General’s Office (VAGO) - Nigel Phair, Managing Director, Centre for Internet Safety - Joshua Stenhouse, Technical Evangelist, Zerto - Anthony Caruana, CSO MC & Moderator

    Play Video

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

More videos

Blog Posts

Market Place