Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Operations

8/31/2015
10:30 AM
Kevin West
Kevin West
Commentary
Connect Directly
Twitter
LinkedIn
RSS
E-Mail vvv
100%
0%

Top Infosec Execs Will Eventually Report To CEOs, CISOs Say

But becoming a trusted resource to the executive suite will demand major changes in the traditional chief information security officer role.

As security trends continue to become a top-of-mind concern in board rooms and executive suites, so has the issue of where the chief information security officer should sit in the corporate hierarchy. It’s an important question that K logix recently posed to a small sampling of CISOs. The results were surprising and encouraging.

We conducted telephone interviews of 34 CISOs, more than half of whom today report to the chief information officer, with 15% reporting to the chief executive officer, and the rest reporting to the chief operating officer or the head of a risk-related organization. When we asked about the future role of the CISO, 50% of our participants predict that the role will report into the CEO “in the near future.”

The CISOs identified a number of reasons why the role should move out of the IT department. Some said that reporting into the CIO introduced a conflict of interest because security teams assess both the risks of specific technology systems and also often recommend that technology be used to address the risk.

Phil Curran, who reports into the compliance department as chief information assurance and privacy Officer at Cooper University Hospital, initially reported into the CIO, but found that the reporting structure limited his ability to effectively communicate risk to other business units.  He told K logix researchers in an interview, “The move out of IT was among the biggest factors in the success of our information assurance and privacy program.”

Others believe that the CEO needs to hear directly, and frequently, about risk. Christopher Dunning, CSO at Affinion Group, a marketing services organization, told us that it makes business sense to run information protection or security outside of the IT department.  “Security is not just a technical problem, it is also a business challenge. It cannot be solved with just a technical solution. You have to also take a business-centric approach.”

The CISOs in the study reported an average of ten months in their position, and 71% were in the role for the first time. While most CISOs we contacted still report into the CIO, it is notable that those in their second, third or fourth CISO role are the ones most likely to report into the CEO today. One reason could be because when CISOs look for their next opportunity they seek CEO-level sponsorship of the security organization.

Steve Bartolotta, CISO at Community Health Network of CT, and formerly CISO at Yale New Haven Health System, is a good example of that strategy. He told us that, “Community Health Network elevated the role of CISO to report directly to the CEO just prior to my coming on board.”

Still A Work In Progress

With just 15% of CISOs currently reporting into the CEO, security leaders have plenty of work ahead of them. It won’t be easy to move out of the IT organization and become an autonomous and business-focused organization with direct access to the CEO and more influence with the board of directors. Here are four ways I believe security teams can position themselves for this change.

Explore: First and foremost, security leaders must be explorers. It is imperative to identify all the risks as well as opportunities that exist in the business environment. This requires a plan for exploration and identification. Most CISOs identify risk, but are not looking for opportunities. By identifying opportunities as well as risks, CISOs become business-focused allies to their peers.

Explain: Security leaders most relay both risks and opportunities to the business units in an effective, digestible, and actionable manner. If risks and opportunities are explained correctly, security has the ability to empower business users to make smarter decisions and work more effectively.

Innovate: Security leaders seeking to elevate themselves within the organization should also elevate their work beyond operational projects to a more innovative and transformational role. The right technologies can help them work smarter and be more analytical. By leveraging innovative, intelligent technologies, security teams can spend less time running systems and more time analyzing performance to identify issues and opportunities.

Advocate: Beyond deputizing employees and customers to be smarter about security, CISOs that report into the CEO will advocate for their teams and projects by explaining how security can impact business objectives.

The relationship between the CISO and CEO is already getting stronger, as CISOs report more one-on-one interaction with the CEO, and more requests for education and insight from the board. However, to become a trusted resource and direct report, the role of the CISOs must be perceived as critical to business performance and revenue. This demands changes in both function and focus. 

Kevin West is the chief executive and founder of K logix, where he oversees a team of data security experts who help customers build confident data security programs. View Full Bio
 

Recommended Reading:

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
TerryB
0%
100%
TerryB,
User Rank: Ninja
9/1/2015 | 2:16:10 PM
Really?
I'd like to be a fly on the wall of those conversations. Why am I having a hard time believing that could be a meaningful direct dialog?

Dealing with risk mgmt has always been a part of CEO job, that's why risk (business) auditors have existed for quite sometime. I never heard a discussion of them reporting directly to CEO. I'm not sure why the risk of network/server compromise is any different other than the technical aspects of it. And with all the Zero Day stuff going on, what exactly can a CISO even rate the risk as being at any particular time?

CEO: Well Bob, what is the current risk of having our email records compromised?

CISO: Well John, based on known attacks, I believe we have a 1.5% of being compromised on any given day. But if someone discovers a Zero Day, it could be significantly worse.

CEO: Thank you John, that is extremely useful in helping me decide how to increase our revenue, improve our quality of service, and lower our cost. Glad to have you on the team!
COVID-19: Latest Security News & Commentary
Dark Reading Staff 7/9/2020
Omdia Research Launches Page on Dark Reading
Tim Wilson, Editor in Chief, Dark Reading 7/9/2020
4 Security Tips as the July 15 Tax-Day Extension Draws Near
Shane Buckley, President & Chief Operating Officer, Gigamon,  7/10/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
Special Report: Computing's New Normal, a Dark Reading Perspective
This special report examines how IT security organizations have adapted to the "new normal" of computing and what the long-term effects will be. Read it and get a unique set of perspectives on issues ranging from new threats & vulnerabilities as a result of remote working to how enterprise security strategy will be affected long term.
Flash Poll
The Threat from the Internetand What Your Organization Can Do About It
The Threat from the Internetand What Your Organization Can Do About It
This report describes some of the latest attacks and threats emanating from the Internet, as well as advice and tips on how your organization can mitigate those threats before they affect your business. Download it today!
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-15105
PUBLISHED: 2020-07-10
Django Two-Factor Authentication before 1.12, stores the user's password in clear text in the user session (base64-encoded). The password is stored in the session when the user submits their username and password, and is removed once they complete authentication by entering a two-factor authenticati...
CVE-2020-11061
PUBLISHED: 2020-07-10
In Bareos Director less than or equal to 16.2.10, 17.2.9, 18.2.8, and 19.2.7, a heap overflow allows a malicious client to corrupt the director's memory via oversized digest strings sent during initialization of a verify job. Disabling verify jobs mitigates the problem. This issue is also patched in...
CVE-2020-4042
PUBLISHED: 2020-07-10
Bareos before version 19.2.8 and earlier allows a malicious client to communicate with the director without knowledge of the shared secret if the director allows client initiated connection and connects to the client itself. The malicious client can replay the Bareos director's cram-md5 challenge to...
CVE-2020-11081
PUBLISHED: 2020-07-10
osquery before version 4.4.0 enables a priviledge escalation vulnerability. If a Window system is configured with a PATH that contains a user-writable directory then a local user may write a zlib1.dll DLL, which osquery will attempt to load. Since osquery runs with elevated privileges this enables l...
CVE-2020-6114
PUBLISHED: 2020-07-10
An exploitable SQL injection vulnerability exists in the Admin Reports functionality of Glacies IceHRM v26.6.0.OS (Commit bb274de1751ffb9d09482fd2538f9950a94c510a) . A specially crafted HTTP request can cause SQL injection. An attacker can make an authenticated HTTP request to trigger this vulnerabi...