Weak Communicator – Weak Chief Information Security Officer
Securing their networks and data should be a top priority for any leadership team, hence the importance of hiring a Chief Information Security Officer (CISO). The requirement to secure data is growing as companies realize the potential liabilities of losing that data. Even with this awakening, CISOs have not yet reached the C-suite level in most organizations. The irony is that the C-Suite consists of executives who have a board-level responsibility to protect stockholder and stakeholder interest. And, in our ever-digitizing world s/he may be the one voice the board of directors needs to hear.
I suppose we should be grateful for the position at all. A few years ago, the importance of cybersecurity was minimized across the government and the private sector. Today, the CISO still fights a stigma as the drag on the company bottom line as opposed to a resource providing the barrier to digital risk. The role is designed to assure digital security strategy and to ensure operations function securely.
Typically, the CISO is placed under the Chief Information Officer (CIO). The CIO delivers technology access at the highest value point. The CIO measures the technology management subset of cybersecurity by the risk an organization decides it is willing to take. In most cases, this is an organizational prioritization decision and not based on the known threats.
While the government prioritizes cybersecurity by complying with the Federal Information Security Management Act (FISMA), there is nothing mandated for general cybersecurity posture across the private sector. These are the accouterments of living in a capitalistic society. We have the power of choice. As such, the CISO role is aligned differently across and between government and private sector organizations. There is no indication of which is most effective. The culture of the organization appears to have a more significant impact. Let’s look at a few major corporations and compare the pros and cons of the CISO sitting under various C-suite executives.
Where Should We Position the CISO?
The CISO’s role is charged to ensure security operations are running smoothly with few disruptions from threats to the confidentiality, integrity, and availability of network. Among other responsibilities, the CISO implements programs that mitigate vulnerabilities, ensure IT network infrastructure is designed with best security practices in mind, and communicate the importance of cybersecurity to leadership.
As I stated, the reporting structure in organizations may be aligned differently. For instance, some major corporations like Capital One and Microsoft placed their CISOs under the Chief Financial Officer (CFO) and the Chief Technology Officer (CTO), respectively. The ability of the technical CISO to communicate with these corporate leaders in their “business speak” is critical. An inability to present the case for a specific strategy, spending or course correction, can limit the effectiveness of the CISO. Unfortunately, a lack of communication can magnify risk and open the organization up to unnecessary network disruption and reputational loss.
The C-Suite Umbrella
Every organization has discretion over where to place its CISO. That is, if it actually decides the position is warranted. Some organizations don’t see the value in having one. As mentioned previously, the Capital One CISO sits under the CFO. Despite the belief that reporting to the person who handles all the finances could be beneficial, the CFO often views cybersecurity as a cost center. CISOs frequently struggle to explain the importance and value of the desired security posture. Security spending appears to go be counter to cash flow objectives.
Unfortunately, there is no visible return on investment with cybersecurity. We are not yet punishing companies that have been breached by cyber a means. CISOs are typically judged on the lack of data breaches and/or thwarted cyber-attacks. Metrics about bad actors in the network, or other status points that deserve the attention of executives, are often just not available.
Understandably, CFOs wants to see metrics and tangible results to understand how the money is effectively being spent. In the CFO’s world there is no room for waste and expending funds on products and services that don’t produce revenue can be deemed as wasteful. Therefore, CISOs without backgrounds rooted in business often butt-heads with the CFO.
On the other hand, Microsoft placed and its CISO under the CTO. Not shockingly, the CTO is all about technology and the opportunities to advance the company’s priorities using technology. S/he is responsible for managing the organization’s physical and personnel technology infrastructure, network and system, and business unit relations. Despite sharing a few similar objectives, CTOs are not always keen on investing in outdated infrastructure. Their approach to resolving vulnerabilities is to think forward as opposed to additional investment in outdated and unsecured infrastructure. Again, the CISO sometimes struggles to highlight the value of investing in compliance and patch-based activities.
It’s All About Communication
It’s an oversight of leadership to assume that having a cybersecurity team means the organization is secure. A corporate-level security team is essential, but how the CISO, their leader, communicates with the executive team is critical. For any organization to be successful, its networks must be secure, and the CISO heard. Thus, moving a CISO to the C-suite level should be something every company strongly considers. However, hiring a CISO that has the requisite business background must be a priority.