THANK YOU FOR SUBSCRIBING
A common session at security conferences (and a fun game to play whenever security professionals gather) is, “Where should the CISO report?” No other question raises as much passion, anger, and tribalism as much as this one (except, maybe, “iPhone or Android?”) Historically, Information Security (or Information Risk) has been seen as a technical discipline, not a business risk function, so it’s not surprising that the majority of CISOs still report within the technical ranks of an organization. A 2022 report from IANS Research showed that 69 percent of CISOs report to a technical leader (CIO or CTO) within their organizations. What’s interesting about this is that for decades we’ve been told, “Security should never report to the CIO.” Auditors, consultants, regulators, and risk management professionals have repeatedly pointed to potential conflicts of interest as an absolute reason to avoid such a placement. What are these alleged conflicts?
• The CIO is focused on operations and Security’s role is to identify issues that may slow or stop operations. Therefore, the CIO is predisposed to downplay or ignore security recommendations.
• The CIO will filter all reporting and recommendations so as to prevent IT from ‘looking bad’ to leadership or governance bodies.
Where should the CISO report, then, according to these warnings? Likely candidates include Risk Management, Legal, Audit, or (in the best case) directly to the CEO. Yet only 31 percent of CISOs are currently reporting to one of these alternate business areas. It’s hard to believe that the vast majority of organizations just don’t see the monumental conflict within their organizations. Rather, a better explanation might be that, however well-meaning these warnings are, they completely fail to account for the reality of business risk management in 2022.
There are three factors that weigh heavily on an organization’s ability to sustain an effective information risk management program:
1. Maturity: The organization must have reached an advanced level of maturity in their risk management, audit, and technology processes. Each of these functions should have clear charters and the roles and relationships between them should be clearly defined and understood by all. Most important, each of these functions must understand the interrelated nature of their responsibilities to both each other and the enterprise as a whole, and work to ensure the needs and risks of each are balanced out to benefit the organization and its customers. An organization that does not possess this level of maturity will have a difficult time incorporating a mature information risk practice, no matter where it reports.
2. Culture: The organization’s culture plays a major role in how information risk is managed and incorporated into the fabric of the organization. For example, is the organization collaborative (where teams cooperate and support each other)or combative (where they compete for glory, favor, and accolades)? Does the organization value team players and high levels of cooperation or does it value a small set of superheroes who sweep in to save the day when things are going wrong? Information risk – indeed all risk management – is a team sport and difficult enough under the best of circumstances. Adding a siloed, rivalrous environment to the mix makes it that much harder.
3. Relationship Management:An effective information risk program – and the CISO as its most visible representative – must cultivate cooperative support at all levels of the organization. They must be able to understand the nature of the organization’s business and provide clear and meaningful advice, counsel, and (sometimes) direction on what must be done to protect the enterprise. They need the ability to directly engage leadership as necessary to address risk concerns and volatile situations, and that requires the ability to give respect to (and earn respect from) their teams, peers, and leadership. They must also have the ability to communicate risk effectively to both technical and non-technical audiences.
"The best placement for a CISO is wherever the organization needs it to be, whether that’s in Risk Management, Legal, Audit, HR, or IT"
What’s interesting as you read through these requirements is that none of them have anything to do with organization placement or whether the CISO reports to Risk, Legal, IT, or the CEO. And all of them speak to the need for the entire organization to recognize the importance of managing information risk and instilling that importance as part of the organization’s daily life. Information risk management is not about the organization structure or reporting relationships, it’s about understanding the ways that information and technology can be put at risk, how to prevent or mitigate the harm that may result, and sharing that knowledge throughout the organization.
You may ask, “What about those conflicts of interest that exist when the CISO reports to the CIO?” They’re still there, and there are far too many instances of them coming true in far too many organizations. But conflicts exist no matter where the CISO reports. The Chief Risk Officer may not want to look bad to the Board, so they may deemphasize the information risk aspects of their reports. The General Counsel may feel that acknowledging a large number of vulnerabilities may harm the organization during pending litigation. The Chief Human Resources officer may not want to make employees feel threatened in the workplace, so they may restrict the security team’s ability to investigate employees for wrongdoing. All positions in the organization have potential conflicts attached to them. Mature organizations have checks and balances to ensure that those conflicts are identified and managed to minimize their potential impact.
In 2022, any serious company executive would be ill-advised to downplay recommendations from the CISO on how to mitigate and manage information risk in the organization, lest they have to explain to their Board (and possibly an Attorney General or two) why they ignored Security’s advice. That danger exists throughout the organization, no matter what the reporting structure may be. The best placement for a CISO is wherever the organization needs it to be, whether that’s in Risk Management, Legal, Audit, HR, or (yes) IT. Instead of asking “Where should the CISO report,” the better questions to ask would be, “Who has the resourcesand influence to help advance the information risk program?Who has the right mindset to be able to weigh information risk equally with other business risks? Who has the business and emotional maturity to enable the CISO to communicate with whomever is necessary to get the job done?”
The answers may surprise you.