PwC reported that 81% of investors and analysts responding to its 2018 Global Investor Survey ranked cybersecurity among the top three threats to business; more than half of those said that cybersecurity was the No. 1 biggest threat to business. The natural upshot should be that the CISO is more important to business strategy — but in many cases, that's an uphill climb.
The traditional view of the CISO is that of a specialized mini-CIO — existing to achieve compliance, put out security fires, and stand in as a scapegoat for when something inevitably goes wrong so the CIO doesn't have to take the heat. A case in point: Target had no CISO when it suffered its infamous point-of-sale mega breach in 2013; consequently, it was Target's then CIO who was compelled to resign shortly thereafter. Only then did Target create and fill a CISO position, answering to the new CIO.
Across both the private sector and the public sector, the plurality of CISOs report to the CIO. A subset of enterprise organizations, however, are increasingly realizing that this is a suboptimal approach.
For starters, many have recognized that a CIO having a CISO answer to him or her presents a conflict of interest because the CIO and CISO each have different budgetary interests and are measured against different objectives. Whereas CISOs are so security-driven that "security" is right in their job titles, CIOs are pressured to make decisions that favor business agility above all else; security is an afterthought compared with functional viability. Meanwhile, CISOs have "security" in their job titles for a reason — but a CISO who reports to a CIO or other IT operations manager is unlikely to report his or her boss to the legal department for inevitable compliance failures.
Over the past few years, Congressional staffers, federal, and state regulatory bodies, and industry collaboratives alike have made these same observations — specifically dictating that CISOs report to a risk officer, the general counsel, the CEO, or even straight up to the board of directors. Lately, these recommendations and requirements have begun to take hold. A May 2018 industry report from Dark Reading about the role of CISOs notes that the CISOs have at least a "dotted reporting structure" — if not a direct one — to boards and/or CEOs. And this reporting structure is crucial when it comes not only for mitigating liability and compliance risks (i.e., so that, after an inevitable data breach, the company can show regulators that its board of directors and CEO met with the CISO on cybersecurity issues x number of times every year), but also for crafting cybersecurity and data-stewardship solutions for effective business strategy going forward. Without the CISO, boards and CEOs may not even be able to identify the right questions to ask or the right problems to solve in the first place.
The whole concept of a CIO indicates that that person has full control of the company's infrastructure and IT decisions. A CISO would typically be a part of that, but that's not necessarily reflective of what the pecking order should be. Just because the CISO will work extensively with the CIO doesn't mean that the CISO should report to the CIO — just like the general counsel shouldn't report to the executive vice president of sales just because the legal department has to work extensively with the sales teams. These are separate entities working together incidentally — and the IT team and the information security team are likewise separate from each other.
This is because the CISO position is no longer a niche technology role. Cyber presence is sufficiently ubiquitous today that, for many enterprise organizations, the Internet is their primary (if not only) go-to-market platform. In this environment, the CISO's job must be one to step to the forefront and evangelize the following bullet points:
- "We are under attack." There are constant attempted cyberattacks — usually automated — every single day against every major enterprise.
- "Our attackers will succeed, eventually." Everybody's being breached. We, too, will be breached someday (assuming we haven't been breached already). We must be prepared with the knowledge and tools to minimize and respond both during and after a breach.
- "Cybersecurity is a business issue — not a tech issue." How we manage our cyber presence and secure our data drastically affects our ability to do business — from an accessibility standpoint, from a brand-trust standpoint, and from a regulatory compliance standpoint.
All of these bullet points combined make for a grander and more important message, which is one that investors already know: "Cybersecurity is about extreme monetary risk."
And there you have it. CISOs deal with far heavier risk assessment and risk management issues than do generalist IT leaders — to the point where their job is all about risk and only incidentally about IT, rather than the other way around. The CISO job therefore needs to just be part of the organization's risk hierarchy instead of the IT department. The CISO is, first and foremost, a risk manager — a digitally present risk manager, but a risk manager nonetheless.
Let the CISO answer accordingly.