Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Operations

8/31/2015
10:30 AM
Kevin West
Kevin West
Commentary
Connect Directly
Twitter
LinkedIn
RSS
E-Mail vvv
100%
0%

Top Infosec Execs Will Eventually Report To CEOs, CISOs Say

But becoming a trusted resource to the executive suite will demand major changes in the traditional chief information security officer role.

As security trends continue to become a top-of-mind concern in board rooms and executive suites, so has the issue of where the chief information security officer should sit in the corporate hierarchy. It’s an important question that K logix recently posed to a small sampling of CISOs. The results were surprising and encouraging.

We conducted telephone interviews of 34 CISOs, more than half of whom today report to the chief information officer, with 15% reporting to the chief executive officer, and the rest reporting to the chief operating officer or the head of a risk-related organization. When we asked about the future role of the CISO, 50% of our participants predict that the role will report into the CEO “in the near future.”

The CISOs identified a number of reasons why the role should move out of the IT department. Some said that reporting into the CIO introduced a conflict of interest because security teams assess both the risks of specific technology systems and also often recommend that technology be used to address the risk.

Phil Curran, who reports into the compliance department as chief information assurance and privacy Officer at Cooper University Hospital, initially reported into the CIO, but found that the reporting structure limited his ability to effectively communicate risk to other business units.  He told K logix researchers in an interview, “The move out of IT was among the biggest factors in the success of our information assurance and privacy program.”

Others believe that the CEO needs to hear directly, and frequently, about risk. Christopher Dunning, CSO at Affinion Group, a marketing services organization, told us that it makes business sense to run information protection or security outside of the IT department.  “Security is not just a technical problem, it is also a business challenge. It cannot be solved with just a technical solution. You have to also take a business-centric approach.”

The CISOs in the study reported an average of ten months in their position, and 71% were in the role for the first time. While most CISOs we contacted still report into the CIO, it is notable that those in their second, third or fourth CISO role are the ones most likely to report into the CEO today. One reason could be because when CISOs look for their next opportunity they seek CEO-level sponsorship of the security organization.

Steve Bartolotta, CISO at Community Health Network of CT, and formerly CISO at Yale New Haven Health System, is a good example of that strategy. He told us that, “Community Health Network elevated the role of CISO to report directly to the CEO just prior to my coming on board.”

Still A Work In Progress

With just 15% of CISOs currently reporting into the CEO, security leaders have plenty of work ahead of them. It won’t be easy to move out of the IT organization and become an autonomous and business-focused organization with direct access to the CEO and more influence with the board of directors. Here are four ways I believe security teams can position themselves for this change.

Explore: First and foremost, security leaders must be explorers. It is imperative to identify all the risks as well as opportunities that exist in the business environment. This requires a plan for exploration and identification. Most CISOs identify risk, but are not looking for opportunities. By identifying opportunities as well as risks, CISOs become business-focused allies to their peers.

Explain: Security leaders most relay both risks and opportunities to the business units in an effective, digestible, and actionable manner. If risks and opportunities are explained correctly, security has the ability to empower business users to make smarter decisions and work more effectively.

Innovate: Security leaders seeking to elevate themselves within the organization should also elevate their work beyond operational projects to a more innovative and transformational role. The right technologies can help them work smarter and be more analytical. By leveraging innovative, intelligent technologies, security teams can spend less time running systems and more time analyzing performance to identify issues and opportunities.

Advocate: Beyond deputizing employees and customers to be smarter about security, CISOs that report into the CEO will advocate for their teams and projects by explaining how security can impact business objectives.

The relationship between the CISO and CEO is already getting stronger, as CISOs report more one-on-one interaction with the CEO, and more requests for education and insight from the board. However, to become a trusted resource and direct report, the role of the CISOs must be perceived as critical to business performance and revenue. This demands changes in both function and focus. 

Kevin West is the chief executive and founder of K logix, where he oversees a team of data security experts who help customers build confident data security programs. View Full Bio
Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
TerryB
0%
100%
TerryB,
User Rank: Ninja
9/1/2015 | 2:16:10 PM
Really?
I'd like to be a fly on the wall of those conversations. Why am I having a hard time believing that could be a meaningful direct dialog?

Dealing with risk mgmt has always been a part of CEO job, that's why risk (business) auditors have existed for quite sometime. I never heard a discussion of them reporting directly to CEO. I'm not sure why the risk of network/server compromise is any different other than the technical aspects of it. And with all the Zero Day stuff going on, what exactly can a CISO even rate the risk as being at any particular time?

CEO: Well Bob, what is the current risk of having our email records compromised?

CISO: Well John, based on known attacks, I believe we have a 1.5% of being compromised on any given day. But if someone discovers a Zero Day, it could be significantly worse.

CEO: Thank you John, that is extremely useful in helping me decide how to increase our revenue, improve our quality of service, and lower our cost. Glad to have you on the team!
US Turning Up the Heat on North Korea's Cyber Threat Operations
Jai Vijayan, Contributing Writer,  9/16/2019
MITRE Releases 2019 List of Top 25 Software Weaknesses
Kelly Sheridan, Staff Editor, Dark Reading,  9/17/2019
7 Ways VPNs Can Turn from Ally to Threat
Curtis Franklin Jr., Senior Editor at Dark Reading,  9/21/2019
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: This comment is waiting for review by our moderators.
Current Issue
7 Threats & Disruptive Forces Changing the Face of Cybersecurity
This Dark Reading Tech Digest gives an in-depth look at the biggest emerging threats and disruptive forces that are changing the face of cybersecurity today.
Flash Poll
The State of IT Operations and Cybersecurity Operations
The State of IT Operations and Cybersecurity Operations
Your enterprise's cyber risk may depend upon the relationship between the IT team and the security team. Heres some insight on what's working and what isn't in the data center.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2019-16695
PUBLISHED: 2019-09-22
phpIPAM 1.4 allows SQL injection via the app/admin/custom-fields/filter.php table parameter when action=add is used.
CVE-2019-16696
PUBLISHED: 2019-09-22
phpIPAM 1.4 allows SQL injection via the app/admin/custom-fields/edit.php table parameter when action=add is used.
CVE-2018-21018
PUBLISHED: 2019-09-22
Mastodon before 2.6.3 mishandles timeouts of incompletely established sessions.
CVE-2019-16692
PUBLISHED: 2019-09-22
phpIPAM 1.4 allows SQL injection via the app/admin/custom-fields/filter-result.php table parameter when action=add is used.
CVE-2019-16693
PUBLISHED: 2019-09-22
phpIPAM 1.4 allows SQL injection via the app/admin/custom-fields/order.php table parameter when action=add is used.