Get the CIO out of the Reporting Line for Security...

Drazen Drazic
Drazen Drazic is the managing director of Securus Global, a leading Information Security consulting organisation specialising in application and network security, penetration testing and product testing for international security vendors. He is engaged as a consultant across most industry sectors on Information Security policy and strategy. In earlier times, he has headed up Information Security for a global investment bank and Big-Four professional services firm, been a regional IT director and has spent years promoting and talking about information security. Twitter: @ddrazic

CIOs cop quite a bit of criticism from the Information Security industry and the people in it.

Rightly so I believe in most cases. We’re in 2012 now, not 1999, where ignorance of basic security could still be forgiven (somewhat). Hacking was still a dark art to many then.

Don’t get me wrong, there are some really good CIOs out there when it comes to understanding and working on Information Security issues and doing the right thing by their companies, but to be honest, there are many CIOs that also fail dismally. Regardless of whether they’re getting advice and guidance from their security people, ultimately, a level of accountability must sit with them.

If you’re a CIO and you’re not reporting state of risk and security on a regular basis to your CEO and/or Board, you not only are putting your organisation at greater risk but looking at the bigger picture, also business partners, shareholders and everyone else associated with that business? (The CFO is reporting financial position and risks on a regular basis, so why aren’t you?)

As a CIO, are you on top of amendments to the Corporations Act? Do you know what your Board of Directors role is in terms of Risk Management oversight and governance? Do you know a Board’s role? If not, why not?

What is the problem with many CIOs?

In brief, it comes down to some or all of the following: - A general lack of understanding and appreciation of the true risks (and what should be being done) - Security projects not seen as a high priority / high profile projects - Lack of budget to dedicate to security - Fear of looking bad [to senior management]

I could also add that some don’t really care, and while that may be the case for some, I’d like to hope that any in this category would make up less than 1% of the CIO population, (though some of you may have differing opinions on this). In my opinion, the four points above probably cover the majority of reasons why CIOs fail when it comes to Information Security.

It’s interesting when we get the opportunity to present the findings of work we’ve undertaken for an organisation to the CEO and/or Board as opposed to just talking with the IT Security Manager or CIO.

The IT Security Manager (or CSO) generally takes issues reported seriously and attempts, to the best of their abilities— set against organisational roadblocks (sticking points) to get the issues resolved. They’re generally on the same wavelength and understand what these issues potentially mean to the business. (More IT Security Managers and CSOs should be the CIO).

For the CIO, somewhere along the line, the logic in terms of impact and potential risk to the business gets lost and clouded as they assess the report and meld it with the 4 bullet points mentioned above—sticking point! And this is where the majority of Information Security issues remain—filed away in the too-hard basket. Information security people start complaining, lose respect and confidence in the CIO, become disgruntled, and most eventually leave to look for greener pastures.

Interestingly, CEOs and boards are more interested in listening to Information Security issues being faced by their business than most CIOs are. Their eyes don’t glaze over and they genuinely care and want to understand the potential impacts to the business. In almost all cases where we’ve been invited to present to the CEO and/or board, that organisation has rapidly changed their mindset and approach to Information Security and Risk Management practices.

Is there a better argument for removing the CIO out of the reporting line for Information Security? We can ramble on and on about awareness growing, CIOs getting more involved, things are changing and so on, but is that really the case? It’s 2012—I’ll say it again—and since I first wrote this in 2008, little has changed!

CIOs need to realise that boards and board reporting are going to be putting more pressure on them as boards realise that, as part of their Risk Management oversight and governance, IT risks are as threatening to the business as many other things they traditionally assess. Catch up!

Many CIOs like to position themselves as “business” people. But if they want to be seen that way, they need to start thinking and behaving as “business” people too.

Tags: risk management, security, governance, CIOs

Comments (5)

Jack Jessen

1

Drazen,

Our message needs to be directed to the business, the owners of the information and as you've clearly pointed out, the Board/s.

Over the last decade plus there has indeed been no to little advance of awareness in the risks to business or self of interacting on public or private information infrastructure much less to applying controls or adherring to 'good' policy.

I've posted this before I believe, though not necessarily in response to yourself, we practioners would do well to use the communications professionals in delivering our messages to the appropriate stakeholders well beyond ourselves.

Good luck and regards,

Jack G Jessen

Peter Cooper

2

Drazen,

I think the point you are making is really a broader issue about CIO capability.

An enlightened CIO understands their responsibility across a broad range of areas, among which is risk management. And security is just a subset of that discipline.

I once told a CIO I worked for, that you’re only as important as the things you worry about. If you worry about bits & bytes, you will be seen as a technician. But if you worry about big picture things, like reputational risk, then you are more likely to be seen as a player in the main game.

So I would suggest that a CIO who doesn’t worry about security as a business issue has deeper problems than security.

Peter

Drazen Drazic

3

Jack,

Agreed. Anyone who's had the opportunity to present to an audience outside our industry, whether at a conference or even a small meeting will probably agree they've felt like they've made a small difference. We're very insular but then again, most industries would feel the same way. I imagine what sort of reaction senior management, non-IT would have sitting in a day or two at Ruxcon for example. (Obviously not all the talks :)) We need to get out more.

Peter,

Good points. You're right.

Hopefully they learned from that. :)

DD

Takethe5th

4

Lol. CIOs who act like thought leaders but plead ignorance when hacked.

Director

5

I am a member of the Institute of Company Directors. In that forum there is also the debate about IT exposure at the Board Level. But from another perspective.

Having dealt with IT and security "Specialists" a lot over the years, many are arrogant and have a significant belief that theirs is the most important part of the business and no interest or awareness what so ever in understanding and appreciating the other areas of the business that a board has to consider. Perhaps if they did and adjusted the message to a business focus instead of a doom and gloom everything is either high risk or no risk (to cover their own positions) there may be a better synergy of IT and business requirements.

Here are just a few comments from another similar thread going at the moment but where the audience are board members and or directors.

"... I feel that IT personnel tend to focus on the technical aspects of their job instead of the reality of the application to the business world such as being accountability for overexpendiutre of projects and low delivery rate."

"But oftentimes, the problem is that the project is only defined in terms of the IT outputs which are to be delivered, without due attention to the business change necessary for the business to make effective use of the IT deliverables, realising the business outcomes and business benefits sought. At the end of the day, it is the line managers who achieve the benefits, not the CIO or his/her organisation...."

"...we need to assess the business skills of the CIO. A good CIO will have a strong understanding of the IT systems and processes, will support this with a well structured project management philosophy (that doesn't finish until the project is successfully delivering its goals) and will apply sound business skills across all decision making.

The nature of the business and the strength of the CIO will determine how much expertise is needed at board level. ..."

"In my experience somebody who is able to speak in both executive terms and ICT terms is valued by boards, executive groups and ICT alike. I find that everybody is equally frustrated by the conversations that are currently occurring.

Executive groups and boards genuinely value somebody who can articulate an ICT initiative in clear and unequivocal business terms, demonstrating alignment to business objectives and identifying the business outcomes that will be achieved. They want a clear business case that will enable them to make confident decisions based on accurate information."

And no need to put the whole thread in here :)

Post new comment

Users posting comments agree to the CSO comments policy.

Login or register to link comments to your user profile, or you may also post a comment without being logged in.

CSO Corporate Partners
  • Webroot
  • Trend Micro
  • NetIQ
rhs_login_lockGet exclusive access to CSO, invitation only events, reports & analysis.
CSO Directory

Access Risk Management Suite

The Access Risk Management Suite enables organizations in industries across the board, to improve security, corporate and regulatory compliance and increase operational efficiency.

more »

Submit your own security event

Submit your training courses

Security Awareness Tip

Incident handling is a vast topic, but here are a few tips for you to consider in your incident response. I hope you never have to use them, but the odds are at some point you will and I hope being ready saves you pain (or your job!).


  1. Have an incident response plan.

  2. Pre-define your incident response team 

  3. Define your approach: watch and learn or contain and recover.

  4. Pre-distribute call cards.

  5. Forensic and incident response data capture.

  6. Get your users on-side.

  7. Know how to report crimes and engage law enforcement. 

  8. Practice makes perfect.

For the full breakdown on this article

Security ABC Guides

Warning: Tips for secure mobile holiday shopping

I’m dating myself, but I remember when holiday shopping involved pouring through ads in the Sunday paper, placing actual phone calls from tethered land lines to research product stock and availability, and actually driving places to pick things up. Now, holiday shoppers can do all of that from a smartphone or tablet in a few seconds, but there are some security pitfalls to be aware of.

Read More
more »