Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Cloud

8/23/2016
01:00 PM
Adam Shostack
Adam Shostack
Commentary
Connect Directly
Twitter
LinkedIn
RSS
E-Mail vvv
50%
50%

CISO Security ‘Portfolios’ Vs. Reporting Structures

Organizational structure is a tool for driving action. Worrying about your boss's title won't help you as much as a better communication framework.

Every way to structure an organization has weaknesses.

In the first place, every executive learns early in their career that different structures have different strengths and weaknesses, and one reason to reorganize semi-regularly is to shake up some of the inertia that a structure brings. Having CISOs reporting to the CEO takes them out of the operational structure and puts them in a policy role, which creates risks that operations will hide deficiencies. Having CISOs in an operational role means that someone else might be formally responsible for risk sign-off, and their boss might hide deficiencies.

Second, every organization is different. Asserting that Amazon and Apple should have the same CISO reporting structure ignores the fact that Amazon is organized by products (retail, AWS, prime), while Apple is organized functionally (engineering, marketing). Claiming that General Electric and General Motors both need a CSO who reports to the boss ignores that GE is a conglomerate and GM is thinking pretty deeply about what their world looks like as they become a software company. (Now, you might argue that both have a CFO, but Sarbanes-Oxley mandated that role for public companies. The expansion of executive teams is getting attention in Harvard Business Review.)  

Third, more important than where you report is how you work the organization. Of course, title is important. I remember a friend marveling at how much faster his meetings got accepted after he was re-titled from director of security to “chief.” Similarly, being a direct report to the boss is a signal of the importance a company is placing on a role. But unless everyone in IT reports to the CISO, they’re fundamentally an advisor, not the decision maker. And as an advisor, they need to work the org. They need to talk to the leadership of the company and balance between various priorities while advocating for security. That balancing and perspective is helped by being close to leadership and being brought into more conversations, and hindered if there’s an expectation that the org chart brings power.

Fourth, the CEO’s a busy person. They spend their days making decisions that no one under them can make. Their bandwidth for mentoring and advising may be more limited than other leaders.

Portfolio views are under your control. You can choose to use them without getting into a discussion of what the org chart should look like. A portfolio of controls is clearly and unambiguously in your domain. Using portfolio views is unlikely to step on anyone’s toes. You can use portfolios to anchor your discussions as you work the org. A good view like the Cyber Defense Matrix grounds the conversation by avoiding jargon and linking to the business.

In The Effective Executive, Peter Drucker talked about concentrating your effort on the things that matter most. Arguing about reporting structures is a less useful place for your effort than getting a grasp on the whats and whys using portfolio views.

Related Content In This Series:    

Adam is a leading expert on threat modeling. He's a member of the BlackHat Review Board, and helped create the CVE and many other things. He currently helps many organizations improve their security via Shostack & Associates, and helps startups become great businesses as an ... View Full Bio
 

Recommended Reading:

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
More SolarWinds Attack Details Emerge
Kelly Jackson Higgins, Executive Editor at Dark Reading,  1/12/2021
Vulnerability Management Has a Data Problem
Tal Morgenstern, Co-Founder & Chief Product Officer, Vulcan Cyber,  1/14/2021
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
2020: The Year in Security
Download this Tech Digest for a look at the biggest security stories that - so far - have shaped a very strange and stressful year.
Flash Poll
Assessing Cybersecurity Risk in Today's Enterprises
Assessing Cybersecurity Risk in Today's Enterprises
COVID-19 has created a new IT paradigm in the enterprise -- and a new level of cybersecurity risk. This report offers a look at how enterprises are assessing and managing cyber-risk under the new normal.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-4873
PUBLISHED: 2021-01-19
IBM Planning Analytics 2.0 could allow an attacker to obtain sensitive information due to an overly permissive CORS policy. IBM X-Force ID: 190836.
CVE-2020-4881
PUBLISHED: 2021-01-19
IBM Planning Analytics 2.0 could allow a remote attacker to obtain sensitive information, caused by the lack of server hostname verification for SSL/TLS communication. By sending a specially-crafted request, an attacker could exploit this vulnerability to obtain sensitive information. IBM X-Force ID...
CVE-2021-22498
PUBLISHED: 2021-01-19
XML External Entity Injection vulnerability in Micro Focus Application Lifecycle Management (Previously known as Quality Center) product. The vulnerability affects versions 12.x, 12.60 Patch 5 and earlier, 15.0.1 Patch 2 and earlier and 15.5. The vulnerability could be exploited to allow an XML Exte...
CVE-2021-25323
PUBLISHED: 2021-01-19
The default setting of MISP 2.4.136 did not enable the requirements (aka require_password_confirmation) to provide the previous password when changing a password.
CVE-2021-25324
PUBLISHED: 2021-01-19
MISP 2.4.136 has Stored XSS in the galaxy cluster view via a cluster name to app/View/GalaxyClusters/view.ctp.