Why the CISO Shouldn’t Report to the CIO

by | Jun 22, 2018 | Cyber Security

Why the CISO Shouldn’t Report to the CIO

With the threat of cybercrime constantly rising, the challenge of keeping data and networks safe has convinced many companies to appoint a Chief Information Security Officer (CISO) to oversee their cyber security needs. The CISO is responsible for establishing and maintaining the enterprise vision, strategy, and program to ensure information assets and technologies are adequately protected. The problem is that CISO’s can be hampered by company hierarchies, which subordinate them to the Chief Information Officer (CIO).  In industries that are used to taking a high risk approach, like the financial or tech spaces, this can turn into a major problem. Here’s why we feel the CISO shouldn’t report to the CIO.

 

Freedom of Action

The CISO and CIO roles can be conflicting or complementary depending on the organizational reporting structure a company adopts. Finding the right balance can be tricky. The 2017 ISACA CISO board briefing came to the conclusion that a universal organizational best practice map simply doesn’t exist when it comes to reporting. With publicly traded companies in mind, the latest SEC cyber security guideline specifically recommends that cyber breaches should be dealt with and reported at the highest level.  A 2015 Georgia Tech study on cyber security governance found that 40% of CISO’s were still reporting to CIO’s. In 2018, a PwC study concluded that this figure has dropped to around 24%. 40% of CISO’s now report directly to CEO’s, with another 27% reporting to the board of directors. But these figures aren’t universal, and the Financial Services Information Sharing and Analysis Center (FS-ISAC) concluded that only 8% of CISO’s are reporting directly to a CEO. At any rate, when the CISO has to report to a CIO, this usually means that the latter has a big say in information security budgets, and may cut corners to lower costs or invest in other areas seen as more urgent (especially if the company hasn’t been attacked in the past).

 

Different Roles and Responsibilities

Information security has been traditionally treated as a subordinate component of IT departments, a trend which could lead to increasingly negative consequences as cyber threats increase in number and sophistication. Since IT is driven by innovation, research and development in this area naturally take greater risks to make a major breakthrough in tech solutions. The role of cyber security professionals, led by the CISO, is to ensure that this creative process is as safe as possible. The primary focus of a cyber security team is to strategically and tactically mitigate risk by securing the environment and proactively identifying and eliminating potential threat vectors  and bad actors. Maintaining secure networks also requires taking steps to minimize risky behavior within the organization, even if it means limiting employee access to information that’s not directly related to their tasks. This safety prerogative can generate friction between the CISO and the CIO if it isn’t managed cooperatively.

 

Maximizing Organizational Cyber Security

Because cyber attacks and data leaks usually affect the organization as a whole, CISO’s need to be responsible for protecting every department, whether or not they’re IT in nature or not. Some security measures may even require changes in corporate policy that could have a negative short-term impact on areas the CIO is responsible for. For example, introducing two-factor authentication or similar interface level security steps may irritate users or slow down the development process. Also, the CIO may not fully understand the security requirements of other departments that are out of their control, or may have performance motives to delay implementing additional security procedures. A CISO with C-Suite status or direct access to the company top brass will feel more empowered to take decisions that can maximize information security for the entire company.

Finding and hiring top CISO’s can be a tall order for any company. Competition is high and talent is scarce.  Let us do the heavy lifting for you! HuntSource combines the most cutting edge recruiting practices on the market with expert knowledge of the tech and cyber security space to match our clients with the best talent in the information security industry.