Angels & Demons: The CISO & the CIO

While the importance of the Chief Information Security Officer has been in constant growth over the past six years, organisations that employ a CISO are still far too few. According to PricewaterhouseCoopers annual Global State of Information Security (GSISS) survey in 2006, the percentage of organisations employing a CISO stood at 22 per cent, whereas in this year’s report, the same statistic stands at 45 per cent, this figure is echoed by a Carnegie Mellon Survey of 2010 showing that only 47 per cent of organisations employ a CISO. Even a giant like Sony did not have a CISO in place until after the disastrous PSN hack of 2011.

Perhaps more markedly, in the 2012 survey PwC identified a “leader cut” of the most forward thinking respondents based on the answers to a few key questions. In this leadership group, the percentage of organisations employing a CISO was a much more respectable 84 per cent. These are identified as being the organisations and behaviours that other should be learning from.

So, assuming you have or are planning to hire a CISO, to whom should they report? In too many organisations the CISO is still reporting to the CIO despite the frequent pitfalls.  This reporting structure can be counter-productive. The question of reporting lines is often a source of friction and can really only be answered if you have managed to effectively differentiate and delineate your CIO and CISO roles.

Job descriptions are slippery amorphous things, so in the interest of impartiality I’ll use Wikipedia’s definition.  CIO is “a job title commonly given to the most senior executive in an enterprise responsible for the information technology and computer systems that support enterprise goals”, whereas CISO “is the senior-level executive within an organistion responsible for establishing and maintaining the enterprise vision, strategy and program to ensure information assets are adequately protected”.

When put this simply, the conflict of interest in having a CISO report to a CIO becomes very clear. The person responsible for ensuring organisational information security can not be subordinated to the person responsible for technology selection and implementation. Rather the two should operate as a team, driving operational and information security up the boardroom agenda. An effective CIO/CISO team will take board level strategic directions and translate them into technological and process requirements for the organisation. The CIO ensures that best of breed technologies are selected and architected in the most operationally beneficial manner, the CISO ensuring that those technologies meet the security requirements of the business on an ongoing basis;  neither one being able to pull rank on the other.

In the case of a conflict arising between the two, which cannot be resolved through discussion the final say must comes down to business risk and operations, requiring the involvement of COO, CRO or even CEO depending on the organisational structure.

Securityshould now be a regular boardroom agenda item and it is only through the checks and balances of the independent CIO and CISO that it can be effectively addressed.