Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Operations

8/31/2015
10:30 AM
Kevin West
Kevin West
Commentary
Connect Directly
Twitter
LinkedIn
RSS
E-Mail vvv
100%
0%

Top Infosec Execs Will Eventually Report To CEOs, CISOs Say

But becoming a trusted resource to the executive suite will demand major changes in the traditional chief information security officer role.

As security trends continue to become a top-of-mind concern in board rooms and executive suites, so has the issue of where the chief information security officer should sit in the corporate hierarchy. It’s an important question that K logix recently posed to a small sampling of CISOs. The results were surprising and encouraging.

We conducted telephone interviews of 34 CISOs, more than half of whom today report to the chief information officer, with 15% reporting to the chief executive officer, and the rest reporting to the chief operating officer or the head of a risk-related organization. When we asked about the future role of the CISO, 50% of our participants predict that the role will report into the CEO “in the near future.”

The CISOs identified a number of reasons why the role should move out of the IT department. Some said that reporting into the CIO introduced a conflict of interest because security teams assess both the risks of specific technology systems and also often recommend that technology be used to address the risk.

Phil Curran, who reports into the compliance department as chief information assurance and privacy Officer at Cooper University Hospital, initially reported into the CIO, but found that the reporting structure limited his ability to effectively communicate risk to other business units.  He told K logix researchers in an interview, “The move out of IT was among the biggest factors in the success of our information assurance and privacy program.”

Others believe that the CEO needs to hear directly, and frequently, about risk. Christopher Dunning, CSO at Affinion Group, a marketing services organization, told us that it makes business sense to run information protection or security outside of the IT department.  “Security is not just a technical problem, it is also a business challenge. It cannot be solved with just a technical solution. You have to also take a business-centric approach.”

The CISOs in the study reported an average of ten months in their position, and 71% were in the role for the first time. While most CISOs we contacted still report into the CIO, it is notable that those in their second, third or fourth CISO role are the ones most likely to report into the CEO today. One reason could be because when CISOs look for their next opportunity they seek CEO-level sponsorship of the security organization.

Steve Bartolotta, CISO at Community Health Network of CT, and formerly CISO at Yale New Haven Health System, is a good example of that strategy. He told us that, “Community Health Network elevated the role of CISO to report directly to the CEO just prior to my coming on board.”

Still A Work In Progress

With just 15% of CISOs currently reporting into the CEO, security leaders have plenty of work ahead of them. It won’t be easy to move out of the IT organization and become an autonomous and business-focused organization with direct access to the CEO and more influence with the board of directors. Here are four ways I believe security teams can position themselves for this change.

Explore: First and foremost, security leaders must be explorers. It is imperative to identify all the risks as well as opportunities that exist in the business environment. This requires a plan for exploration and identification. Most CISOs identify risk, but are not looking for opportunities. By identifying opportunities as well as risks, CISOs become business-focused allies to their peers.

Explain: Security leaders most relay both risks and opportunities to the business units in an effective, digestible, and actionable manner. If risks and opportunities are explained correctly, security has the ability to empower business users to make smarter decisions and work more effectively.

Innovate: Security leaders seeking to elevate themselves within the organization should also elevate their work beyond operational projects to a more innovative and transformational role. The right technologies can help them work smarter and be more analytical. By leveraging innovative, intelligent technologies, security teams can spend less time running systems and more time analyzing performance to identify issues and opportunities.

Advocate: Beyond deputizing employees and customers to be smarter about security, CISOs that report into the CEO will advocate for their teams and projects by explaining how security can impact business objectives.

The relationship between the CISO and CEO is already getting stronger, as CISOs report more one-on-one interaction with the CEO, and more requests for education and insight from the board. However, to become a trusted resource and direct report, the role of the CISOs must be perceived as critical to business performance and revenue. This demands changes in both function and focus. 

Kevin West is the chief executive and founder of K logix, where he oversees a team of data security experts who help customers build confident data security programs. View Full Bio
Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
TerryB
0%
100%
TerryB,
User Rank: Ninja
9/1/2015 | 2:16:10 PM
Really?
I'd like to be a fly on the wall of those conversations. Why am I having a hard time believing that could be a meaningful direct dialog?

Dealing with risk mgmt has always been a part of CEO job, that's why risk (business) auditors have existed for quite sometime. I never heard a discussion of them reporting directly to CEO. I'm not sure why the risk of network/server compromise is any different other than the technical aspects of it. And with all the Zero Day stuff going on, what exactly can a CISO even rate the risk as being at any particular time?

CEO: Well Bob, what is the current risk of having our email records compromised?

CISO: Well John, based on known attacks, I believe we have a 1.5% of being compromised on any given day. But if someone discovers a Zero Day, it could be significantly worse.

CEO: Thank you John, that is extremely useful in helping me decide how to increase our revenue, improve our quality of service, and lower our cost. Glad to have you on the team!
Cybersecurity Team Holiday Guide: 2019 Gag Gift Edition
Ericka Chickowski, Contributing Writer,  12/2/2019
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Current Issue
Navigating the Deluge of Security Data
In this Tech Digest, Dark Reading shares the experiences of some top security practitioners as they navigate volumes of security data. We examine some examples of how enterprises can cull this data to find the clues they need.
Flash Poll
Rethinking Enterprise Data Defense
Rethinking Enterprise Data Defense
Frustrated with recurring intrusions and breaches, cybersecurity professionals are questioning some of the industrys conventional wisdom. Heres a look at what theyre thinking about.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2019-19647
PUBLISHED: 2019-12-09
radare2 through 4.0.0 lacks validation of the content variable in the function r_asm_pseudo_incbin at libr/asm/asm.c, ultimately leading to an arbitrary write. This allows remote attackers to cause a denial of service (application crash) or possibly have unspecified other impact via crafted input.
CVE-2019-19648
PUBLISHED: 2019-12-09
In the macho_parse_file functionality in macho/macho.c of YARA 3.11.0, command_size may be inconsistent with the real size. A specially crafted MachO file can cause an out-of-bounds memory access, resulting in Denial of Service (application crash) or potential code execution.
CVE-2019-19642
PUBLISHED: 2019-12-08
On SuperMicro X8STi-F motherboards with IPMI firmware 2.06 and BIOS 02.68, the Virtual Media feature allows OS Command Injection by authenticated attackers who can send HTTP requests to the IPMI IP address. This requires a POST to /rpc/setvmdrive.asp with shell metacharacters in ShareHost or ShareNa...
CVE-2019-19637
PUBLISHED: 2019-12-08
An issue was discovered in libsixel 1.8.2. There is an integer overflow in the function sixel_decode_raw_impl at fromsixel.c.
CVE-2019-19638
PUBLISHED: 2019-12-08
An issue was discovered in libsixel 1.8.2. There is a heap-based buffer overflow in the function load_pnm at frompnm.c, due to an integer overflow.