Most companies today recognize the importance of having a leader tasked with keeping the organization's information assets protected from data breaches, cyberattacks, and bad actors. With tech ubiquitous across every sector and the real risk of a company's very existence being compromised, we've finally arrived at a place where the significance of cybersecurity is universally understood.
While this shift is very positive for information security professionals, I think we still have some way to go before there is consensus on just how to organizationally structure infosec in accordance with a company's needs.
A number of companies now recognize that information security is no longer confined to just technology, and that in fact it is one of their largest business risks, spanning all areas of their organization. Yet one of the most common structural security questions continues to be "Where should the chief information security officer (CISO) sit in our organization?"
For some enterprises, this isn't an easy philosophical choice. Often the default response is to have the CISO report to the chief information officer within the technology division. For other organizations, the CISO sits within the enterprise risk, legal, or operations department.
A growing trend, however, is for the CISO to report to the chief executive officer, which makes a lot of sense given the CISO's unique viewpoint across the entire enterprise. This reporting line truly establishes CISOs as members of a company's executive management team.
Regardless of who CISOs report to, what's important is that they engage with their peers and build effective and strong relationships so everyone can be successful. That said, one relationship in particular that's key to their success is the one with their chief information officer.
These two leaders play critical roles in protecting an organization. And while they may have different needs, drivers, and objectives, these two functions should ideally complement each other rather than having to compete with one another.
At its core, a CISO's role is about understanding and managing a key business risk. As the executive in charge of cybersecurity, the person should have a deep understanding of an organization's technology functions and how they are integrated. But just as important, they need to have a firm grasp of the business processes, priorities, and the "how and why" technology is deployed and used throughout the company.
This helps CISOs gain a critical perspective in managing and responding to their organization's security needs, particularly when working in a highly regulated industry, such as financial services and healthcare.
Conversely, CIOs are more focused on keeping their technology up and running, connected, remotely accessible, and aligned with the rapidly changing needs of their business and customers. This is no small task, and it's one that is increasingly difficult as workforces have gone remote and stayed so since the pandemic began almost two years ago.
While clearly related, the mindsets of these two executives should be very different. CIOs must focus on ensuring that an enterprise remains up and running while delivering new features and functions for an ever-demanding user base. CISOs, on the other hand, need to think more about securing their enterprises and addressing the likelihood and impact of both known and unknown threats in our ever-changing technology landscape.
From a practical standpoint, budget and reporting oversight also makes a strong case for decoupling. If you are a CEO or a chief risk officer, concerned about the constant presence of new and evolving cyber threats, you want a CISO's security recommendations to be unfiltered and free of the influence of a CIO, who — quite naturally — is focused upon speed and functionality. You would also want to ensure that cybersecurity budgets never run the risk of being diverted to other tech priorities.
Decoupling the CISO and CIO roles creates an organic check and balance that mitigates, if not eliminates, unnecessary organizational risks. And that's the key. Enterprises that have risk management embedded in their DNA have been the first to reorganize accordingly. Companies that prioritize cost management over risk management will no doubt be slower to address their risks.
Ultimately, I do believe that CIO-CISO uncoupling will continue as more organizations see the benefits of these executives working together as peers while being able to satisfy their own priorities and their business needs.