Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Cloud

8/23/2016
01:00 PM
Adam Shostack
Adam Shostack
Commentary
Connect Directly
Twitter
LinkedIn
RSS
E-Mail vvv
50%
50%

CISO Security ‘Portfolios’ Vs. Reporting Structures

Organizational structure is a tool for driving action. Worrying about your boss's title won't help you as much as a better communication framework.

Every way to structure an organization has weaknesses.

In the first place, every executive learns early in their career that different structures have different strengths and weaknesses, and one reason to reorganize semi-regularly is to shake up some of the inertia that a structure brings. Having CISOs reporting to the CEO takes them out of the operational structure and puts them in a policy role, which creates risks that operations will hide deficiencies. Having CISOs in an operational role means that someone else might be formally responsible for risk sign-off, and their boss might hide deficiencies.

Second, every organization is different. Asserting that Amazon and Apple should have the same CISO reporting structure ignores the fact that Amazon is organized by products (retail, AWS, prime), while Apple is organized functionally (engineering, marketing). Claiming that General Electric and General Motors both need a CSO who reports to the boss ignores that GE is a conglomerate and GM is thinking pretty deeply about what their world looks like as they become a software company. (Now, you might argue that both have a CFO, but Sarbanes-Oxley mandated that role for public companies. The expansion of executive teams is getting attention in Harvard Business Review.)  

Third, more important than where you report is how you work the organization. Of course, title is important. I remember a friend marveling at how much faster his meetings got accepted after he was re-titled from director of security to “chief.” Similarly, being a direct report to the boss is a signal of the importance a company is placing on a role. But unless everyone in IT reports to the CISO, they’re fundamentally an advisor, not the decision maker. And as an advisor, they need to work the org. They need to talk to the leadership of the company and balance between various priorities while advocating for security. That balancing and perspective is helped by being close to leadership and being brought into more conversations, and hindered if there’s an expectation that the org chart brings power.

Fourth, the CEO’s a busy person. They spend their days making decisions that no one under them can make. Their bandwidth for mentoring and advising may be more limited than other leaders.

Portfolio views are under your control. You can choose to use them without getting into a discussion of what the org chart should look like. A portfolio of controls is clearly and unambiguously in your domain. Using portfolio views is unlikely to step on anyone’s toes. You can use portfolios to anchor your discussions as you work the org. A good view like the Cyber Defense Matrix grounds the conversation by avoiding jargon and linking to the business.

In The Effective Executive, Peter Drucker talked about concentrating your effort on the things that matter most. Arguing about reporting structures is a less useful place for your effort than getting a grasp on the whats and whys using portfolio views.

Related Content In This Series:    

Adam is a consultant, entrepreneur, technologist, author and game designer. He's a member of the BlackHat Review Board and helped create the CVE and many other things. He currently helps organizations improve their security via Shostack & Associates, and advises startups ... View Full Bio
Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
5 Ways to Up Your Threat Management Game
Wayne Reynolds, Advisory CISO, Kudelski Security,  2/26/2020
Exploitation, Phishing Top Worries for Mobile Users
Robert Lemos, Contributing Writer,  2/28/2020
Kr00k Wi-Fi Vulnerability Affected a Billion Devices
Robert Lemos, Contributing Writer,  2/26/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
6 Emerging Cyber Threats That Enterprises Face in 2020
This Tech Digest gives an in-depth look at six emerging cyber threats that enterprises could face in 2020. Download your copy today!
Flash Poll
State of Cybersecurity Incident Response
State of Cybersecurity Incident Response
Data breaches and regulations have forced organizations to pay closer attention to the security incident response function. However, security leaders may be overestimating their ability to detect and respond to security incidents. Read this report to find out more.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2015-3006
PUBLISHED: 2020-02-28
On the QFX3500 and QFX3600 platforms, the number of bytes collected from the RANDOM_INTERRUPT entropy source when the device boots up is insufficient, possibly leading to weak or duplicate SSH keys or self-signed SSL/TLS certificates. Entropy increases after the system has been up and running for so...
CVE-2015-5361
PUBLISHED: 2020-02-28
Background For regular, unencrypted FTP traffic, the FTP ALG can inspect the unencrypted control channel and open related sessions for the FTP data channel. These related sessions (gates) are specific to source and destination IPs and ports of client and server. The design intent of the ftps-extensi...
CVE-2020-6803
PUBLISHED: 2020-02-28
An open redirect is present on the gateway's login page, which could cause a user to be redirected to a malicious site after logging in.
CVE-2020-6804
PUBLISHED: 2020-02-28
A reflected XSS vulnerability exists within the gateway, allowing an attacker to craft a specialized URL which could steal the user's authentication token. When combined with CVE-2020-6803, an attacker could fully compromise the system.
CVE-2019-4301
PUBLISHED: 2020-02-28
BigFix Self-Service Application (SSA) is vulnerable to arbitrary code execution if Javascript code is included in Running Message or Post Message HTML.