For certain critical IT deliverables, CIOs and CISOs embody the inherent tension between cybersecurity and operational requirements. Where the CIO is charged with delivering efficient IT infrastructure at low cost, the CISO is charged with ensuring that the same IT infrastructure operates within the risk tolerance parameters set by the board and CEO. Organizational structure has a lot of influence over how these functions operate and interact, and it can either exacerbate power struggles or facilitate alignment. Let's look at three common organizational structures and how CIOs and CISOs can work together to achieve their objectives.
Most Challenging: CIO controls CISO budget and rates CISO performance
When the CISO reports to the CIO, the onus is on the CIO to decide whether to fund and support cybersecurity initiatives, or the core deliverables that the CIO is charged with delivering. If a compromise has to be made, the CIO may be tempted to sacrifice security over functionality or infrastructure improvements.
This reporting structure can create an environment that discourages the CISO from fully disclosing risk to the CEO and board. In other words, CISOs who answer to CIOs are more likely to shape their message to please the boss.
Advice: Create a safe environment where honesty is valued
A CIO must make it safe for the CISO to be honest without fear of retaliation, and in turn, the CISO must have the courage to trust the CIO and communicate openly about risk. CISOs are responsible for helping CIOs understand risk and making it easy for them to mitigate that risk. If the CIO chooses to ignore the risk and can't articulate why, then the CISO must be prepared to escalate the issue to other executives and/or risk owners.
Better: The CIO and CISO are separate roles, reporting to different execs
When the CIO and CISO report to different executives, some of the challenges discussed above are removed. But tension can arise between the two missions at an abstracted level. The lack of patching of the Apache Strut vulnerability that led to the Equifax breach of 2017 illustrates the point. As Richard F. Smith, the CEO of Equifax, explained to Congress:
On March 9, Equifax disseminated the U.S. CERT notification internally by email requesting that applicable personnel responsible for an Apache Struts installation upgrade their software. Consistent with Equifax's patching policy, the Equifax security department required that patching occur within a 48-hour time period. We now know that the vulnerable version of Apache Struts within Equifax was not identified or patched in response to the internal March 9 notification to information technology personnel.
While it's not clear why IT personnel did not patch the vulnerability, it is clear that the warning from the cybersecurity department and the security patching policy were not followed. This type of breakdown is more likely to occur where the IT personnel report up to a CIO and the cybersecurity personnel report to the CISO with separate sponsoring executives. Neither has complete and unambiguous responsibility for patching, which is not conducive to decision-making.
Advice: Rise above the conflict
In this scenario, the CISO and CIO must be careful not to amplify whatever misalignment exists between the executives above them. A good CISO and CIO will be "bigger" than the roles they're in and decide between themselves what's best for the business. The priority should be visibility and effective execution, even if it means compromise. Constant, open communication in this scenario is crucial.
Best-Case: Separate roles reporting to a single executive
Ideally, the CIO and CISO are two separately-defined peer roles that report to one executive responsible for delivering a secure IT environment that supports the business strategy. This helps ensure that the CIO and CISO have mutually complementary requirements. When a disagreement arises, one executive is accountable for making a decision that is beneficial to the business.
Advice: Maintain transparency across the organization
Everyone needs to be on the same page when it comes to evaluating and prioritizing different types of risk (information security, operational, and financial). Ideally, transparency and healthy communication exist across the environment. When there's transparency across all types of risk, the business can make high-level executive decisions regarding which ones to transfer, mitigate, and assume. The CISO isn't in a position to minimize or overstate risk. Everyone puts their cards on the table, and decisions are made based on what's best for the business.
To be successful in their missions, CIOs and CISOs must be in alignment. A vulnerable IT infrastructure won't withstand today's threats, and without an IT infrastructure, there's nothing to secure. At the end of the day, it's about enabling the business, and that can only be done together.