Why CIOs Should Report to CISOs

Enterprises are facing a conundrum at the top of the cybersecurity chain.

CISOs, who oversee the network, have the primary responsibility for security, but they often lack visibility into the infrastructure and the business-critical data that is fast becoming the favored targets of cyberattackers. The CIO, who has overseen the under-the-hood development of that targeted infrastructure, is inherently better able to understand the vulnerabilities and the gaps in visibility that malicious actors are likely to exploit.

Digital transformation has put IT front and center in nearly every organization, which has made the job of protecting the infrastructure much more complicated. The growing importance of data as the lifeblood of business, the fundamental shifts in infrastructure with the emphasis on cloud and mobile computing, and the resulting target adjustments by cybercriminals and nation-state attackers has moved the spotlight away from the network.

So, who should be in charge? Can cybersecurity responsibility be split up between the CIO and the CISO? Can they somehow share security duties? No, not effectively. To borrow the old phrase about starting quarterbacks in football, if you have two security chiefs, you really have no security chief. It’s time for businesses and other organizations to seriously consider having their CIO report to the CISO.

Security Needs Unity
What’s most revealing is how the relationship between the CISO and IT operations team plays out in the middle of this, because while the security teams have the security requirement, it's generally the IT operations teams that have the responsibility for it. For example, a security team might have endpoint agents deployed on 17,000 systems, but they still don’t know if they have the network covered. They have to ask the IT department how many systems they need to deploy the protections on. And, really, nobody knows, because that’s not a question that’s ever been asked of the IT department.

The IT infrastructure – and more specifically the lack of visibility into it — is the biggest weak spot in enterprise security. We’ve gotten to a point where attackers know a company’s network better than the security professionals tasked with protecting it. Gaining visibility into the infrastructure —whether it involves assets, network identities, or applications and services — requires a unified, holistic approach. And that starts with unifying control at the top.

Why a CISO?
The role of CISO first appeared in 1995, and its duties have changed over the years as CISOs have become more common in enterprises. Formed under the IT umbrella — and thus reporting to the CIO — the primary goal was to identify and procure products that would effectively protect the enterprise. It would be IT’s job to manage them.

The issue with that approach, however, is that IT has evolved into a highly siloed function, which means that very few IT shops have someone sitting at the top who has comprehensive knowledge of all systems and how they interact. This is largely because IT organizations are not traditionally operational in nature. It’s a culture problem that prevents organizations from gaining a holistic understanding of the entire IT infrastructure.

The challenge facing CISOs has been developing a strategy to defend an infrastructure that no one within the organization truly understands, which has been a recipe for failure. An enterprise’s security posture is created by the security program that is built on top of the core IT infrastructure, and the overall efficacy is only as good as the weaker of the two.

If the CISO is responsible for the security of the industry, it stands to reason that same person should be responsible for both security and the IT infrastructure. In the words of ex-NFL coach Bill Parcells, if they want you to cook the dinner, they ought to let you shop for the groceries.

One Job, Not Two
When I started in cybersecurity two decades ago with the Air Force, there was no such thing in the military as a CISO as distinct from the CIO. The IT executive owned IT operations and security operations, and those grew together. Since then, of course, that has changed, starting in the private sector and spreading to many enterprises across the board (the Air Force, in fact, now has a CISO).

What's perplexing is why the CISO position was ever created in the first place. Maybe because the CIOs at the time just couldn’t get their heads around security. Or maybe some organizations felt the need to create a C-level position to underscore cybersecurity’s growing importance. Those aren't two separate roles, especially in today’s operations and threat landscapes. They are one. You have your enterprise infrastructure inclusive of operations and security, and then you have enterprise applications that help the business run more efficiently on top of it. Everything in IT is too unified and interlinked to give the jobs of running and securing an operation to two different seats.

The case can be made that the emergence of the CISO role — and its separation from IT operations — is a primary reason for many of today’s cybersecurity failures. I’ve seen the approach of combining operations and security deliver distinct benefits for security when I was in the public sector. It’s something organizations in every sector now needs to consider returning to. The current environment calls for combining IT and security functions, with the CIO reporting to the CISO.