Historically, the head of security (CISO) reporting into the head of IT (CIO) has made a lot of sense.
Both departments are – at their core – technical disciplines, and as such there is a need for the two to be in regular contact. They need to overlap on network infrastructure, information security, and IT compliance, not to mention overseeing the release of safe, bug-free code and the delivery of secure products.
Yet this relationship is often lambasted by those working in the InfoSec community. Some describe it as ‘adversarial’ – with two very different people trying to achieve different objectives.
CIOs will look to bring new business applications online, to maintain service-level agreements, and ensure that IT services are available for all users. Indeed, a CIO’s bonuses are often tied to KPIs around these very principles.
It is a different ballgame for security executives, however. With the ultimate goal of reducing IT risk, they have to have the authority to delay application deployment or even to take IT resources offline if they consider these to make the firm more vulnerable to an attack.
There are also different pressures – and salaries. With security an emerging profession, there are usually few to no KPIs, while the nascent market and the often-publicized skills shortage mean that some CISOs can earn anywhere between $500,000 and $2 million. By comparison, Robert Half Technology reports that average U.S. CIO salaries are somewhere between $157,000 and $262,000.
Perhaps it’s no surprise then that there can be complications. Some say that the CISO reporting into the CIO means that risk management takes a back seat to operations. Others argue that this is reflected in the budgets, with InfoSec generally taking a tiny 3% to 5% of overall the IT budget.
This isn’t just the grumbling of a few; there is also evidence to suggest that a disengaged or uninterested CIO can negatively impact the security of the business.
A 2014 report from PwC found that CISOs reporting to CIOs have 14 percent more downtime due to incidents than those that don’t. The same report found that organizations with the same structure see 46 percent higher financial losses from a breach than companies with an alternative arrangement.
Another study, carried out by Carbon Black, found that 28 percent of CIOs (in the UK at least) were unconcerned at being breached.
“I visit organizations as a trouble-shooter\interim CISO consultant and one of the first issues I see is a lack of understanding of the CISO and CIO role, a lack of clear reporting and stakeholder engagement,” consultant and former Fujitsu CISO Jimmy Bashir tells CSO Online.
“This has always led to the CIO thinking that the CISO is just one of many sub-issues to manage… Some CIOs don't even believe a CISO is needed as they have not had a breach.”
This troubled relationship – which coincides with an increasing willingness to push security up the business agenda – has seen some organizations try and change reporting lines. There is interest, if limited uptake, in CISOs reporting to the CFO for budgeting reasons, as well as interest in legal counsels and Chief Risk Officers.
Most CISOs would ultimately like a direct link to the CEO, and analysts believe this could be the answer; IDC predicts that 75 percent of Chief Security Officers and CISOs will be reporting directly to the CEO by 2018.
A CISO’s complaints
There is some validity to CISOs’ complaints around them reporting to the CIO.
For instance, there are concerns that, if security concerns threaten to stall or stop an IT project, the CIO could overrule it.
The CIO might also be reluctant to approve of security projects which hinder IT productivity, and he could too drop such a project if the money could be spent on IT.
There has been the suggestion too that CIOs don’t take note of the CISO – and that is a concern in the new Internet of Things era where previously unconnected enterprise goods are now being connected to the network and collecting data.
At an MIT security roundtable earlier this year, Samsung Business Services CISO Sam Philips said that IT leaders are increasingly guilty of pushing out business tools without completely understanding the business risks and requirements.
Both he and Mark Morrison – CISO of financial services firm State Street, called for security chiefs to operate independently from IT.
Morrison explained that the State Street job was his fifth stint as a chief security officer, and that he had always reported to the CIO. But at State Street, Morrison also reports directly to the board.
“I’m the only standing agenda item,” he said of board meetings. Yet at every board meeting, he fields the same questions on risks, such as ‘how serious are they?’ and ‘does he have enough resources to do his job?’
“What happens is this natural tension between operations and cybersecurity, and there’s only so much money,” he said, his comments reported by TechTarget. “There’s only so much time and prioritization that can be allocated.”
He admits that the reporting structure makes it “hard to give a very honest answer.”
A CIO’s complaints
This dissatisfaction isn’t one-sided. CIOs can feel that CSO/CISOs slow down innovation cycles, and spread the fear factor of data breaches and cyber-criminals.
One CIO, speaking anonymously to CSO Online earlier this year, previously fired his CISO, after accusing him of “talking the talk, but not walking the walk.”
The CIO, working for a large European transport company, says that weak CISOs “create real fear factor for boards and senior executives” and are unable to communicate properly with the business.
“It’s a constant battle,” he told CSO, continuing that poor CISOs act as a blocker, fail to present solutions and engage in thought leadership.
He admits the reporting line conversation is a “big debate”, and says that risk and information security could eventually fall under the CRO or legal counsel.
CISOs, he says, must do the following:
- “Definitely know your scope, and your boundaries, plus where you can break [the business] and where you can add value."
- “Understand the business and be clear what the priorities of the business are.”
- “Try and make it real for executives. If they understand it and it challenges them, then you're less likely to be sacked!”
How to improve the relationship?
For all of this, there is industry consensus that the relationship can – and often does - work.
“The relationship with the CIO (my boss) is very strong,” said Quentyn Taylor, director of information security at Canon Europe. “We both have a shared vision and both feel comfortable knowing that we can freely share and make recommendations in a culture of respect.
Dane Warren, CISO at international product testing company Intertek adds: “In my experience, it has always been a good relationship.”
This said, Taylor admits that communication and sharing common goals are essential to the relationship being a success.
He speaks of security being about achieving a “shared business vision”, and calls for both CISOs and CIOs to share in “open communication and shared goals, remembering that they have the same overall objectives”.
It is also about both being business-enablers.
“Where I have set-up the reporting structure for the organization, the CIO and the CISO work well together with the business and become-enablers, rather than the old approach of 'you’re not allowed to do that',” adds Bashir.
“The CIO has to understand that the CISO is a support function to their role and not feel threatened that their judgement is being called into question or that they are going to be blamed for any issues found. When the CIO embraces the CISO, the relationship works well.”
So when do they fail?
Taylor says that relationships fall down “when there isn’t a culture of respect and trust”.
“This means that the InfoSec department starts to take a negative attitude to risk and, believing that they will be held responsible, start to become massively risk adverse. This is corrosive as it’s not understood and isolates the InfoSec team still further.”
Bashir believes this can be overcome through better communication between departments.
“Effective engagement is based on clear and concise communication, this goes for the whole business and not just the CIO and CISO relationship.
Intertek’s Warren agrees. “Ensure that the security message is relevant for the business, and that the business value is being demonstrated.”