Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Operations

8/31/2015
10:30 AM
Kevin West
Kevin West
Commentary
Connect Directly
Twitter
LinkedIn
RSS
E-Mail vvv
100%
0%

Top Infosec Execs Will Eventually Report To CEOs, CISOs Say

But becoming a trusted resource to the executive suite will demand major changes in the traditional chief information security officer role.

As security trends continue to become a top-of-mind concern in board rooms and executive suites, so has the issue of where the chief information security officer should sit in the corporate hierarchy. It’s an important question that K logix recently posed to a small sampling of CISOs. The results were surprising and encouraging.

We conducted telephone interviews of 34 CISOs, more than half of whom today report to the chief information officer, with 15% reporting to the chief executive officer, and the rest reporting to the chief operating officer or the head of a risk-related organization. When we asked about the future role of the CISO, 50% of our participants predict that the role will report into the CEO “in the near future.”

The CISOs identified a number of reasons why the role should move out of the IT department. Some said that reporting into the CIO introduced a conflict of interest because security teams assess both the risks of specific technology systems and also often recommend that technology be used to address the risk.

Phil Curran, who reports into the compliance department as chief information assurance and privacy Officer at Cooper University Hospital, initially reported into the CIO, but found that the reporting structure limited his ability to effectively communicate risk to other business units.  He told K logix researchers in an interview, “The move out of IT was among the biggest factors in the success of our information assurance and privacy program.”

Others believe that the CEO needs to hear directly, and frequently, about risk. Christopher Dunning, CSO at Affinion Group, a marketing services organization, told us that it makes business sense to run information protection or security outside of the IT department.  “Security is not just a technical problem, it is also a business challenge. It cannot be solved with just a technical solution. You have to also take a business-centric approach.”

The CISOs in the study reported an average of ten months in their position, and 71% were in the role for the first time. While most CISOs we contacted still report into the CIO, it is notable that those in their second, third or fourth CISO role are the ones most likely to report into the CEO today. One reason could be because when CISOs look for their next opportunity they seek CEO-level sponsorship of the security organization.

Steve Bartolotta, CISO at Community Health Network of CT, and formerly CISO at Yale New Haven Health System, is a good example of that strategy. He told us that, “Community Health Network elevated the role of CISO to report directly to the CEO just prior to my coming on board.”

Still A Work In Progress

With just 15% of CISOs currently reporting into the CEO, security leaders have plenty of work ahead of them. It won’t be easy to move out of the IT organization and become an autonomous and business-focused organization with direct access to the CEO and more influence with the board of directors. Here are four ways I believe security teams can position themselves for this change.

Explore: First and foremost, security leaders must be explorers. It is imperative to identify all the risks as well as opportunities that exist in the business environment. This requires a plan for exploration and identification. Most CISOs identify risk, but are not looking for opportunities. By identifying opportunities as well as risks, CISOs become business-focused allies to their peers.

Explain: Security leaders most relay both risks and opportunities to the business units in an effective, digestible, and actionable manner. If risks and opportunities are explained correctly, security has the ability to empower business users to make smarter decisions and work more effectively.

Innovate: Security leaders seeking to elevate themselves within the organization should also elevate their work beyond operational projects to a more innovative and transformational role. The right technologies can help them work smarter and be more analytical. By leveraging innovative, intelligent technologies, security teams can spend less time running systems and more time analyzing performance to identify issues and opportunities.

Advocate: Beyond deputizing employees and customers to be smarter about security, CISOs that report into the CEO will advocate for their teams and projects by explaining how security can impact business objectives.

The relationship between the CISO and CEO is already getting stronger, as CISOs report more one-on-one interaction with the CEO, and more requests for education and insight from the board. However, to become a trusted resource and direct report, the role of the CISOs must be perceived as critical to business performance and revenue. This demands changes in both function and focus. 

Kevin West is the chief executive and founder of K logix, where he oversees a team of data security experts who help customers build confident data security programs. View Full Bio
Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
TerryB
0%
100%
TerryB,
User Rank: Ninja
9/1/2015 | 2:16:10 PM
Really?
I'd like to be a fly on the wall of those conversations. Why am I having a hard time believing that could be a meaningful direct dialog?

Dealing with risk mgmt has always been a part of CEO job, that's why risk (business) auditors have existed for quite sometime. I never heard a discussion of them reporting directly to CEO. I'm not sure why the risk of network/server compromise is any different other than the technical aspects of it. And with all the Zero Day stuff going on, what exactly can a CISO even rate the risk as being at any particular time?

CEO: Well Bob, what is the current risk of having our email records compromised?

CISO: Well John, based on known attacks, I believe we have a 1.5% of being compromised on any given day. But if someone discovers a Zero Day, it could be significantly worse.

CEO: Thank you John, that is extremely useful in helping me decide how to increase our revenue, improve our quality of service, and lower our cost. Glad to have you on the team!
Florida Town Pays $600K to Ransomware Operators
Curtis Franklin Jr., Senior Editor at Dark Reading,  6/20/2019
Pledges to Not Pay Ransomware Hit Reality
Robert Lemos, Contributing Writer,  6/21/2019
AWS CISO Talks Risk Reduction, Development, Recruitment
Kelly Sheridan, Staff Editor, Dark Reading,  6/25/2019
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
Building and Managing an IT Security Operations Program
As cyber threats grow, many organizations are building security operations centers (SOCs) to improve their defenses. In this Tech Digest you will learn tips on how to get the most out of a SOC in your organization - and what to do if you can't afford to build one.
Flash Poll
The State of IT Operations and Cybersecurity Operations
The State of IT Operations and Cybersecurity Operations
Your enterprise's cyber risk may depend upon the relationship between the IT team and the security team. Heres some insight on what's working and what isn't in the data center.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2019-10133
PUBLISHED: 2019-06-26
A flaw was found in Moodle before 3.7, 3.6.4, 3.5.6, 3.4.9 and 3.1.18. The form to upload cohorts contained a redirect field, which was not restricted to internal URLs.
CVE-2019-10134
PUBLISHED: 2019-06-26
A flaw was found in Moodle before 3.7, 3.6.4, 3.5.6, 3.4.9 and 3.1.18. The size of users' private file uploads via email were not correctly checked, so their quota allowance could be exceeded.
CVE-2019-10154
PUBLISHED: 2019-06-26
A flaw was found in Moodle before versions 3.7, 3.6.4. A web service fetching messages was not restricted to the current user's conversations.
CVE-2019-9039
PUBLISHED: 2019-06-26
The Couchbase Sync Gateway 2.1.2 in combination with a Couchbase Server is affected by a previously undisclosed N1QL-injection vulnerability in the REST API. An attacker with access to the public REST API can insert additional N1QL statements through the parameters ?startkey? and ?endkey? of the ?_a...
CVE-2018-20846
PUBLISHED: 2019-06-26
Out-of-bounds accesses in the functions pi_next_lrcp, pi_next_rlcp, pi_next_rpcl, pi_next_pcrl, pi_next_rpcl, and pi_next_cprl in openmj2/pi.c in OpenJPEG through 2.3.0 allow remote attackers to cause a denial of service (application crash).