Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.


10:30 AM
Terry Ray
Terry Ray
Connect Directly
E-Mail vvv

Is 2019 the Year of the CISO?

The case for bringing the CISO to the C-suite's risk and business-strategy table.

PwC reported that 81% of investors and analysts responding to its 2018 Global Investor Survey ranked cybersecurity among the top three threats to business; more than half of those said that cybersecurity was the No. 1 biggest threat to business. The natural upshot should be that the CISO is more important to business strategy — but in many cases, that's an uphill climb.

The traditional view of the CISO is that of a specialized mini-CIO — existing to achieve compliance, put out security fires, and stand in as a scapegoat for when something inevitably goes wrong so the CIO doesn't have to take the heat. A case in point: Target had no CISO when it suffered its infamous point-of-sale mega breach in 2013; consequently, it was Target's then CIO who was compelled to resign shortly thereafter. Only then did Target create and fill a CISO position, answering to the new CIO.

Across both the private sector and the public sector, the plurality of CISOs report to the CIO. A subset of enterprise organizations, however, are increasingly realizing that this is a suboptimal approach.

For starters, many have recognized that a CIO having a CISO answer to him or her presents a conflict of interest because the CIO and CISO each have different budgetary interests and are measured against different objectives. Whereas CISOs are so security-driven that "security" is right in their job titles, CIOs are pressured to make decisions that favor business agility above all else; security is an afterthought compared with functional viability. Meanwhile, CISOs have "security" in their job titles for a reason — but a CISO who reports to a CIO or other IT operations manager is unlikely to report his or her boss to the legal department for inevitable compliance failures.

Over the past few years, Congressional staffers, federal, and state regulatory bodies, and industry collaboratives alike have made these same observations — specifically dictating that CISOs report to a risk officer, the general counsel, the CEO, or even straight up to the board of directors. Lately, these recommendations and requirements have begun to take hold. A May 2018 industry report from Dark Reading about the role of CISOs notes that the CISOs have at least a "dotted reporting structure" — if not a direct one — to boards and/or CEOs. And this reporting structure is crucial when it comes not only for mitigating liability and compliance risks (i.e., so that, after an inevitable data breach, the company can show regulators that its board of directors and CEO met with the CISO on cybersecurity issues x number of times every year), but also for crafting cybersecurity and data-stewardship solutions for effective business strategy going forward. Without the CISO, boards and CEOs may not even be able to identify the right questions to ask or the right problems to solve in the first place.

The whole concept of a CIO indicates that that person has full control of the company's infrastructure and IT decisions. A CISO would typically be a part of that, but that's not necessarily reflective of what the pecking order should be. Just because the CISO will work extensively with the CIO doesn't mean that the CISO should report to the CIO — just like the general counsel shouldn't report to the executive vice president of sales just because the legal department has to work extensively with the sales teams. These are separate entities working together incidentally — and the IT team and the information security team are likewise separate from each other.

This is because the CISO position is no longer a niche technology role. Cyber presence is sufficiently ubiquitous today that, for many enterprise organizations, the Internet is their primary (if not only) go-to-market platform. In this environment, the CISO's job must be one to step to the forefront and evangelize the following bullet points:

  • "We are under attack." There are constant attempted cyberattacks — usually automated — every single day against every major enterprise.
  • "Our attackers will succeed, eventually." Everybody's being breached. We, too, will be breached someday (assuming we haven't been breached already). We must be prepared with the knowledge and tools to minimize and respond both during and after a breach.
  • "Cybersecurity is a business issue — not a tech issue." How we manage our cyber presence and secure our data drastically affects our ability to do business — from an accessibility standpoint, from a brand-trust standpoint, and from a regulatory compliance standpoint.

All of these bullet points combined make for a grander and more important message, which is one that investors already know: "Cybersecurity is about extreme monetary risk."

And there you have it. CISOs deal with far heavier risk assessment and risk management issues than do generalist IT leaders — to the point where their job is all about risk and only incidentally about IT, rather than the other way around. The CISO job therefore needs to just be part of the organization's risk hierarchy instead of the IT department. The CISO is, first and foremost, a risk manager — a digitally present risk manager, but a risk manager nonetheless.

Let the CISO answer accordingly.

Related Content:


Black Hat USA returns to Las Vegas with hands-on technical Trainings, cutting-edge Briefings, Arsenal open-source tool demonstrations, top-tier security solutions and service providers in the Business Hall. Click for information on the conference and to register.

Terry Ray has global responsibility for Imperva's technology strategy. He was the first US-based Imperva employee, and has been with the company for 14 years. He works with organizations around the world to help them discover and protect sensitive data, minimize risk for ... View Full Bio

Recommended Reading:

Comment  | 
Print  | 
More Insights
Oldest First  |  Newest First  |  Threaded View
COVID-19: Latest Security News & Commentary
Dark Reading Staff 8/3/2020
'BootHole' Vulnerability Exposes Secure Boot Devices to Attack
Kelly Sheridan, Staff Editor, Dark Reading,  7/29/2020
Out-of-Date and Unsupported Cloud Workloads Continue as a Common Weakness
Robert Lemos, Contributing Writer,  7/28/2020
Register for Dark Reading Newsletters
White Papers
Cartoon Contest
Current Issue
Special Report: Computing's New Normal, a Dark Reading Perspective
This special report examines how IT security organizations have adapted to the "new normal" of computing and what the long-term effects will be. Read it and get a unique set of perspectives on issues ranging from new threats & vulnerabilities as a result of remote working to how enterprise security strategy will be affected long term.
Flash Poll
The Threat from the Internetand What Your Organization Can Do About It
The Threat from the Internetand What Your Organization Can Do About It
This report describes some of the latest attacks and threats emanating from the Internet, as well as advice and tips on how your organization can mitigate those threats before they affect your business. Download it today!
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2020-08-03
IBM Financial Transaction Manager 3.2.4 is vulnerable to cross-site scripting. This vulnerability allows users to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session.
PUBLISHED: 2020-08-03
IBM Cognos Analytics 11.0 and 11.1 is vulnerable to privlege escalation where the "My schedules and subscriptions" page is visible and accessible to a less privileged user. IBM X-Force ID: 167449.
PUBLISHED: 2020-08-03
IBM Financial Transaction Manager 3.2.4 is vulnerable to SQL injection. A remote attacker could send specially-crafted SQL statements, which could allow the attacker to view, add, modify or delete information in the back-end database. IBM X-Force ID: 177839.
PUBLISHED: 2020-08-03
IBM Cognos Anaytics 11.0 and 11.1 is vulnerable to an XML External Entity Injection (XXE) attack when processing XML data. A remote attacker could exploit this vulnerability to expose sensitive information or consume memory resources. IBM X-Force ID: 179156.
PUBLISHED: 2020-08-03
IBM WebSphere Application Server 7.0, 8.0, 8.5, and 9.0 could allow a local authenticated attacker to gain elevated privileges on the system, caused by improper handling of UNC paths. By scheduling a task with a specially-crafted UNC path, an attacker could exploit this vulnerability to execute arbi...