As security trends continue to become a top-of-mind concern in board rooms and executive suites, so has the issue of where the chief information security officer should sit in the corporate hierarchy. It’s an important question that K logix recently posed to a small sampling of CISOs. The results were surprising and encouraging.
We conducted telephone interviews of 34 CISOs, more than half of whom today report to the chief information officer, with 15% reporting to the chief executive officer, and the rest reporting to the chief operating officer or the head of a risk-related organization. When we asked about the future role of the CISO, 50% of our participants predict that the role will report into the CEO “in the near future.”
The CISOs identified a number of reasons why the role should move out of the IT department. Some said that reporting into the CIO introduced a conflict of interest because security teams assess both the risks of specific technology systems and also often recommend that technology be used to address the risk.
Phil Curran, who reports into the compliance department as chief information assurance and privacy Officer at Cooper University Hospital, initially reported into the CIO, but found that the reporting structure limited his ability to effectively communicate risk to other business units. He told K logix researchers in an interview, “The move out of IT was among the biggest factors in the success of our information assurance and privacy program.”
Others believe that the CEO needs to hear directly, and frequently, about risk. Christopher Dunning, CSO at Affinion Group, a marketing services organization, told us that it makes business sense to run information protection or security outside of the IT department. “Security is not just a technical problem, it is also a business challenge. It cannot be solved with just a technical solution. You have to also take a business-centric approach.”
The CISOs in the study reported an average of ten months in their position, and 71% were in the role for the first time. While most CISOs we contacted still report into the CIO, it is notable that those in their second, third or fourth CISO role are the ones most likely to report into the CEO today. One reason could be because when CISOs look for their next opportunity they seek CEO-level sponsorship of the security organization.
Steve Bartolotta, CISO at Community Health Network of CT, and formerly CISO at Yale New Haven Health System, is a good example of that strategy. He told us that, “Community Health Network elevated the role of CISO to report directly to the CEO just prior to my coming on board.”
Still A Work In Progress
With just 15% of CISOs currently reporting into the CEO, security leaders have plenty of work ahead of them. It won’t be easy to move out of the IT organization and become an autonomous and business-focused organization with direct access to the CEO and more influence with the board of directors. Here are four ways I believe security teams can position themselves for this change.
Explore: First and foremost, security leaders must be explorers. It is imperative to identify all the risks as well as opportunities that exist in the business environment. This requires a plan for exploration and identification. Most CISOs identify risk, but are not looking for opportunities. By identifying opportunities as well as risks, CISOs become business-focused allies to their peers.
Explain: Security leaders most relay both risks and opportunities to the business units in an effective, digestible, and actionable manner. If risks and opportunities are explained correctly, security has the ability to empower business users to make smarter decisions and work more effectively.
Innovate: Security leaders seeking to elevate themselves within the organization should also elevate their work beyond operational projects to a more innovative and transformational role. The right technologies can help them work smarter and be more analytical. By leveraging innovative, intelligent technologies, security teams can spend less time running systems and more time analyzing performance to identify issues and opportunities.
Advocate: Beyond deputizing employees and customers to be smarter about security, CISOs that report into the CEO will advocate for their teams and projects by explaining how security can impact business objectives.
The relationship between the CISO and CEO is already getting stronger, as CISOs report more one-on-one interaction with the CEO, and more requests for education and insight from the board. However, to become a trusted resource and direct report, the role of the CISOs must be perceived as critical to business performance and revenue. This demands changes in both function and focus.