Posted by Kevin on April 13, 2015.
The optimum position of the Chief Information Security Officer within the corporate hierarchy has been debated for years; and it’s not likely be settled soon. Historically – and there’s a lot of logic to this – it belongs within and has emerged from IT. We still more often than not define the subject as IT Security. And it’s still true that a security engineer needs a lot of IT knowledge to install, configure and tune a complex security product.
It’s not so clear whether the CISO needs that level of hands-on capability: a general does not need to be an expert in hand-to-hand fighting in order to plan a successful campaign. To complicate matters, security is no longer simply a subset of IT: it needs to liaise with HR for matters of identity and access management; it needs to liaise with Legal for matters of regulatory compliance; and it needs to liaise with Business in general to ensure that it can align security practices with Business requirements.
And yet, statistically, more than half of all CISOs still report to the CIO and are still, technically, a part of IT. This leads to the single biggest difficulty for CISOs in this position – there is an inevitable conflict of interest between Security and IT. The purpose of IT is to facilitate the Business. Now, you can dress this up any which way you choose – and no CISO I have ever spoken to likes to admit this – but the purpose of Security is to stop things.
At it’s very best, this can be spun as, ‘the purpose of Security is to limit the bad habits of Business’; or at its very, very best, it can be spun as ‘the purpose of Security is to facilitate bad habits in a safe manner, and remediate the rest’. But there is always the potential for an underlying conflict. Business can say, ‘we want to do this with that product,’ and IT simply needs to say, OK, we’ll put that in motion. Security, however, might feel it ought to say, ‘Whoa, you can’t do that, it’s just not secure and the potential ramifications are enormous.’ One allows while the other stops.
An example can be found in mobility and the cloud. If Business wants to use a particular cloud service and IT facilitates it, Security is presented with a fait accompli. If it believes the cloud service to be insecure, it can object – but if it does so it will lose friends, and Business will use the service anyway.
Negotiating this conflict is one of the CISO’s biggest challenges. It requires communication skills beyond the norm; and it is made more difficult when you have to say no to your own boss. While the majority of CISOs report to the CIO, the majority of those that do so would prefer not to.
This begs a major question. If Security does not fit within IT, where does it fit? The idea that Security should have a seat on the Board, or report directly to the Board, is an attractive one supported by both many CISOs and the majority of security commentators. Surprisingly, not all CISOs agree. The suggestion is that CISOs need a buffer between Security and the Board; but one that will fight its corner in a way that IT cannot.
The concern is that if the CISO sits on the Board continually demanding higher budget and stronger controls it will rapidly be ignored or sidelined by the rest of the Board. However, if it is represented on the Board by someone else who also has other Business relevance, it will not be ignored – nor will it become that annoying unit that only causes problems for Business.
The preferred option is that Security stops reporting IT, and reports instead to the Chief Risk Officer (CRO). This makes sense. Security is no longer just an IT issue – it is a Business issue that addresses or at least touches every risk to any part of the company.
And there is another advantage to the CISO if this happens: career path. It is easy to envisage a CISO progressing to either CIO or CRO – but it is much easier to see a Risk Officer becoming a CEO than to see an IT chief making the same jump.
Insights is a unique commentary inspired by and drawn from the peer-to-peer conversations of some of the most senior CISOs and CIOs in the world. All are members of the gated Wisegate community where they meet virtually to discuss issues and problems in information security.Submitted in: Insights |