Pundits scrutinizing senior executive dynamics have opined for years about to whom the CISO should report. Some say the CISO should report to only the CIO because the top security role is inextricably linked to IT. Others say this is a terrible idea because the CISO's must lock down the corporate network while the CIO is challenged to innovate. A CISO panel convened at the MIT Sloan CIO Symposium last month rekindled this longstanding C-suite debate.
MIT professor and panel moderator Stuart Madnick asked the CISOs to whom they believed they should report. State Street CISO Mark Morrison suggested that the common model of security chiefs reporting to IT leaders is no longer tenable. "I think there needs to be some independence of the CISO from the IT organization,” said Morrison, who provides information security for a financial services company with $30 trillion under custody.
Cybersecurity fears have CISO role under heavy scrutiny
Corporate boards have made it their business to become well-versed in cybersecurity, following an onslaught of hack attacks, breaches and other pernicious scams. Boards are calling for CISOs to join the CIO to provide joint updates, ostensibly in the interest of better governance and oversight. The increased focus on corporate defense is making it harder for CISOs who report to CIOs to do their jobs, raising the possibility that it might be time to rethink to security chiefs reporting structure -- at least according Morrison and some of his panel peers.
Morrison has dual reporting lines to CIO Antoine Shagoury and the board, whose technology committee he meets with nine times a year, accompanied by the CIO. Inevitably the board asks Morrison to report on cyber risk, including what additional tools they should invest in to improve protection. That’s when things start to get dicey as the board asks him if he’s getting enough support and money to do everything he needs to do. Sitting next to his CIO, “it’s hard to give a very honest answer to that [question],” Morrison said.
The tension ratchets up when Morrison outlines the company’s vulnerabilities and the board asks him why he isn't "moving faster" to fix them. "My response is, that is not a question for me to answer that's a question for the CIO because I'm not responsible for patching -- that's the operational element,” Morrison said. “So we run into a lot of these conflicts that don't really get resolved."
Sam Phillips, panelist and CISO for Samsung Business Services, said that it can be tough for CISOs to get the money, talent or other necessary resources to drive security programs while working under the CIO. "The CISO should be an independent body doing governance, risk and compliance in addition to validation and implementation of the security program," Phillips said. He suggested CISO might be better off reporting to chief legal or chief risk officers, who report to audit and board committees.
Why the CIO should remain under IT
Despite all the heady talk about GRC, CISOs still toil in a highly technical role; those who seek and win independence from IT risk sacrificing credibility with their peers. Shumard and Associates principal consultant Craig Shumard told CIO.com that the CISO is better placed in the IT organization than not because as much as 80 percent of the role is technical in nature.
"It's a lot easier to get the attention, support and respect of IT people when you're in the IT organization," said Shumard, who maintained both operations and governance control while working for four CIOs during a 10-year career as CISO of insurance provider Cigna. "CISOs reporting to a CIO have both an operational as well as a governance responsibility and that makes them much more effective."
Having operational and governance control over cybersecurity afforded Shumard the latitude to be creative. He says he gave each business unit, including IT, security scorecards to rate how they were performing. "When those score cards came out and the senior management saw them, it wasn't me responding to why patches weren't done, it was the people who owned it," Shumard says.
Indeed, not every CISO on the MIT panel said reporting to IT presents a conflict of interest. Roota Almeida, head of information security for Delta Dental of New Jersey says she has reported to CIOs in two of her CISO jobs, including her current position. But she said that organizational culture dictates whether the CISO-CIO reporting structure works. "In a different industry, a different organization, maybe I should be reporting to the chief legal officer," Almeida said.
Changing dynamics across many industries may render the discussion moot.
With breaches continuing at a rapid clip and the attack surface widening thanks to the Internet of Things, cybersecurity will increasingly be shunted away from IT, predicted R. David Moon, CEO of incident response consultancy TriPath Media. He said companies must bolster their defenses without overburdening IT departments. That creates more opportunities for CISOs to grab governance and operational oversight while freeing the CIO to focus on innovation. “We don’t see a lot of CIOs who want to be responsible for the GPS’ in truck fleets, or smart doors and thermostats,” Moon said.