The debate over the placement of the Chief Information Security Officer on the org chart continues, and the information security community seems to agree on the premise that separation of duties should ensure an information security function can operate autonomously, with a separate mission than an IT function. The opposing argument is also made since successful information security programs exist today within the ranks of IT. However, there is little conclusion about common factors that contribute to the success of an information security program as it relates to the organizational location of the CISO. So what might these success factors be?
1: Management Direction and Support
A common concept is a need for management buy-in to an information security program. More than just buying in, the executive team should be thoroughly involved as a stakeholder and a governance participant for an information security program. A CISO must have the autonomy, visibility, and decision-making authority to set strategy, drive change and have influence throughout the business. Reporting through the IT function without these can constrain the abilities of an information security function by forcing alignment with a mission that is narrow and contradictory to that of an information security program, limiting the exposure necessary to articulate information security initiatives upward.
To be fully effective, a CISO must have the means to garner executive support. To accomplish this, a CISO should be in a position to directly engage executive management, by appropriate reporting structure, or through an executive council or committee.
2: Delivering Security Awareness Upward
Beyond end-user awareness initiatives, the CISO should have responsibility for educating the executive team on information security matters that are specifically relevant to executives. This highlights the need for the CISO to have access to and visibility at the highest management levels. Delivery of valuable and informative content via metrics, reports, dashboards and executive presentations should articulate and educate on IT and information security risk, to foster sound business decisions, and gain support for information security initiatives. Ultimately, an upward approach to information security awareness should prevent information security from becoming an afterthought of the executive team by providing relevant, actionable and measurable information on a consistent basis.
Reporting through an IT function has the potential to break or limit these communication channels, which can be compounded by conflict of interest between a CISO and IT management, especially when situations arise where information reported by a CISO has potential to highlight deficiencies in IT processes and capabilities.
3: Accountability
The driving force behind information security needs to first come from educated and thoughtful decisions of an executive team that understands the executives themselves are accountable for information security.
As security incidents become increasingly visible to the public, there is a greater tendency for incidents to shift toward crisis management processes for reputational damage control. An unfortunate aspect of a reactionary industry like information security is that it takes an impactful event, like a breach, to drive meaningful change. The reality is that publicized information security events expose the disconnect that often exists between the executive office and an organizationally buried CISO.
Placement, or misplacement of the CISO role, under an IT function, as a continued example, can come from one of two things, intelligent decision-making based on careful assessment, or negligent disregard and a lack of accountability at the executive level for a function that seems vitally more important with every public breach. The CISO role may make sense to report through IT operations in some cases, where an IT function leader is well versed in information security and can provide enough executive access, autonomy, and authority to a CISO to avoid conflicts of interest. However, the executive team must be cognizant of the challenges and risks associated with remaining disconnected from an information security program for which they are accountable. The success of the CISO deserves the attention and support of the highest organizational levels.
Conclusion
Some may contend that one way is better than another for the organizational placement of the CISO, and in many ways, some concepts can be better than others. There is no definitive right answer, but there are factors that can contribute to a CISO’s success and effectiveness. As breaches continue to make headlines, executives need to consider how their CISO best fits into their business construct, so the role can not only be an effective leader of an information security program but a resource that provides necessary interfacing and awareness to the C-Suite.