Posted by Kevin on June 30, 2015.
So here’s the problem: the majority of CISOs report to the CIO; and the majority of those that do, wish they didn’t. They have two primary arguments: firstly that they require complete control over their own budget and that it should not be part of the IT budget; and secondly that there is a potential conflict of interest between CIOs and CISOs.
An example of the latter can be found in the company attitude towards BYOD. If Business demands it, IT can provide it. This can happen without any reference to Security – and yet BYOD is one of the biggest security issues that any company faces. Indeed, you could argue that the whole problem of Shadow IT arose because Security was not sufficiently involved in the evolution of BYOD.
Most security commentators and ‘experts’ also recommend the dissolution of the CIO/CISO relationship. This has been standard advice for more than a decade. In 2010 Symantec published figures suggesting that 72% of CISOs still report to IT; and this is not far off the current figures from Wisegate suggesting that around two-thirds currently do so. Why is there such a demand for – and resistance to – change?
Insights spoke to two CIOs, themselves members of the Wisegate community, to see what they think.
John Oborn is CIO at the Niagara Frontier Transportation Authority. He believes that it is right for the CISO to report to the CIO. “The roles, responsibilities and functions of the CISO and security department,” he told Insights, “are tightly coupled with other areas of IT (infrastructure, network, etc), all under the direction of the CIO. Having the CISO and security department outside of IT would inherently create finger-pointing and conflicts.” In other words, the CISOs’ conflict of interests argument is correct, but the wrong way round.
Gary Bailey is CIO at Penn Virginia, an oil and gas company. He takes an almost exact view. “I believe,” he told Insights, “that IT security must report to IT (that is, the CIO) because there are so many inter-dependencies between the technical infrastructure, telecom network, core business systems, and software security systems. One can cause the other to conflict in a technical computing environment. There must be one person who can knowledgeably make final decisions for the greater good of the entire computing landscape. Otherwise, companies will end up in a finger pointing exercise when problems/issues are encountered and it will be very difficult to ascertain responsibility and follow up actions post issue/problem/breach.” In claiming authority, both CIOs accept responsibility.
But if the work of IT and security are so closely bound (notice that it is traditionally ‘IT security’, and has only recently become ‘cyber security’), do we even need a CISO? Could the CIO cover both IT and security? Bailey thinks not. Cyber security, he told Insights, “is very much a growing problem that needs tremendous focus and the implementation/monitoring of counter measures. I do not believe the CIO can provide both functions mainly due to time constraints required for understanding, implementing and monitoring counter measures, and dealing with other areas of IT that have similar risk.”
Oborn agrees. “It is too much for the CIO to perform both… It is more than I can handle in addition to the rest of my duties – and we only have 400 users.” (That, of course, does not include the millions of public transport users within his Transport Authority!)
There’s a difficult balancing act here. The person in charge of security needs to be able to communicate with the heads of all other business units. Getting time in the diaries of the C-Suite is going to be much easier if head of security is also a C-officer: Senior Vice Presidents are not going to have much time for the Security Manager. So the head of security has to be called Chief Information Security Officer for the role to work. “I personally think,” said Oborn, stressing that it is just his opinion, “many times it’s the CISO’s agenda to have a perceived higher visibility in the organization because of the title.”
But what about the budget argument? CISOs believe that they need control over their own budget, separate to IT, to be able to operate effectively. Oborn says simply that if we’re talking about IT or cyber security it has to be part of the IT budget. He does not believe that either the CIO or the CISO should be responsible for non-IT forms of physical security – unless their is no alternative.
Bailey agrees – the security budget should be part of the IT budget since “it is directly related to the conduct of electronic computing and communication in every company.” But he doesn’t think this should be a problem. “Certainly the CISO branch or cost center of IT should have its own budget, goals, objectives, metrics, and so on that roll up to the overall cost of IT to a company. This is not very different to the Help Desk branch, applications development and support branch, or data center operations branch, that all roll up to the CIO.”
It seems clear that from the CIO’s point of view, the CISO reporting to the CIO is a no-brainer. And that would indeed explain why it is still the status quo after many years of an independence campaign. But there is possibly another reason for CISOs seeking to come out from the shadow of the CIO. CIOs sometimes joke that the true meaning of their acronym is Career Is Over – and it is difficult to see where you go after being in charge of IT. CISOs are unlikely to be happy reporting to a position that can go no further.
Insights is a unique commentary inspired by and drawn from the peer-to-peer conversations of some of the most senior CISOs and CIOs in the world. All are members of the gated Wisegate community where they meet virtually and privately to discuss issues and problems in IT and information security.Submitted in: Insights |