reporting structure cybersecurity

Reporting Structure Is Not All Ego

The Chief Information Security Officer, like the character Forrest Gump, seems to always appear in various places at the right moments. The CISO’s place in the organization varies widely, depending on the situation, according to most experts.

However, unlike the naïve movie hero, the CISO doesn’t merely stumble into the action, but is a key player. Still, insiders say there’s no one-size-fits-all structure; a number of factors decide where the CISO’s place falls in the organization, mostly based on the company’s focus on information security.

“When I was a CISO reporting into CIO, I was of the opinion I needed to report outside of the CIO,” said Paul Catalayud, of Palo Alto Networks. But then, he adds: “I did have the opportunity to report outside of the CIO as a peer in another organization. Each experience had it pros and cons, with trade-offs and advantages. The reality is the easy answer to the question of CISO reporting is that ‘it depends’”

A technology company, for example is more focused on protecting its IP and integrity of its technology platform, while a retail company would be more focused on consumer trust and keeping its online functions available to the public. The CISO’s priorities would vary in either case—and so would the reaction from other business units.

Aligning goals is very important, said Lucas Moody, VP and CISO at Palo Alto Networks; that can be done through the organizational structure or also by empowering the CISO. “CISOs with the appropriate voice can be enabled to give security risks and other business risks a level playing field when making decisions,” he said.

“Every person in these roles can make it work or can struggle,” said Catalayud. “It all boils down to incentives.”  If the way leaders are measured and rewarded is at odds with the CISO’s need for security, conflict arises, he explained: “Other leaders, focusing on meeting these goals at all costs, may view the CISO and the security organization as a speed bump, or barrier to success.”

For example, in an e-commerce organization, the CIO is in charge of the platform responsible for the revenue of the company and the leadership and board will value availability and uptime above all else, Catalayud explained. The CIO’s priority in keeping it always up and available can clash with the CISO’s to protect the technology; the reporting may need to be evaluated, he said.

Conversely, in an organization that values consumer confidence, the CIO’s incentive is to place that above all else, and moving the CISO to another position would be harmful, because the CIO can secure budgets and support for the CISO, said Catalayud. “Any risks the CISO (can) identify that may impact trust will be embraced by senior leadership,” he said.

“The scale, scope and complexity of the organization and the potential downside of a cyber-attack all would weigh into where the CISO is reporting to in the organization,” said Selena LaCroix, global leader of Egon Zehnder’s technology and communications practice. A global financial institution, holding critical personal information in a highly regulated industry, would need to elevate the CISO role. Meanwhile in a consumer-facing company, the sales leaders’ need to execute quickly to build revenue would be at odds with the CISO’s security imperatives and spending.

Regardless of the reporting structure, CISO must work hand in hand with the CIO, CFO, General Counsel, HR and business unit leaders and CEO not only to ensure adequate infrastructure to prevent and deal with a breach “but more importantly,  a culture of security is proliferated in the organization,” said LaCroix.

CISOs need to build trust with top management, says Moody. When employees see top executives setting a precedent on cybersecurity do’s and don’ts, the message is loud and clear what is expected of everyone in the organization. In particular, CISOs need a strong partnership between information security and information technology teams to prevent breaches and to assure that resources are available when needed.

“About 80% of what a CISO does cuts across lines of business. The (other) 20% is the magic,” said Larry Ponemon, founder and Chairman of The Ponemon Institute. A company’s size, footprint and line of business are all factors, but they weigh differently on each company, he said. For example, the Institute is a small organization, but it works globally, so it’s subject to regulations such as the EU’s GDPR rules.

“That 20% magic tells you the things you need to know for success,” said Ponemon. “If you don’t know that 20%, that’s trouble.”

An independent security audit is a good place to start, to create a strategy and a structure that includes the CISO’s position, said Ponemon. Currently, two thirds of CISOs report directly to a C-level executive: 49% to the CIO, 9% each to the CTO and CFO and 8% to the general counsel; only 4% report directly to the CEO, according to a recent Ponemon Institute survey on the role of CISOs in business organizations.

“Empowering the CISO is critical in the CISO’s ability to influence the company’s leadership and the Board and be able to get things done in the organization,” said LaCroix. Cybersecurity is an enterprise level risk, she warned: “A CISO who is stuck in the IT back office with little ability to make critical decisions and /or having adequate resources is crippled in affecting change in the organization.”

The Ponemon study found 69% of CISOs see the appointment of an executive-level security officer as an important factor affecting companies’ ability to protect data. The survey also found that nearly two-thirds of CISOs are at or above the director level in their company’s structure.

But Ponemon warned that some of those titles may be only on paper, mainly to comply with cybersecurity insurance policies that require companies to have a CISO. “Companies doctor that paper trail,” he said.  “That doesn’t do much for the organization,” said Ponemon. “You need a CISO who’ll put all on the line if they have to.”

The study found many CISOs report to the CEO in cases of breach, but on a day to day basis, they should be closer to the action, said Ponemon. When there’s a data breach, the company wants to demonstrate they have a strong CISO in charge, to reassure the markets and their cyber insurance policy underwriters, but things go back to normal after, he said.

Without the rank and seniority, CISOs may not have the authority to make other business leaders take security measures that counter their goals. The CISO can’t improve governance without the power of the title, he explained. Some companies even decentralize the CISO role across units to fit their business model, but that “leads to chaos,” he warned: “You ’re tripping over the guy who has your job in another unit. It creates political problems.”

“You want the CISO job description and the reporting responsibility chain of command to be on the up-and-up and truthful, and you want the C-level executives to acknowledge the CISO is important. Without a strong CISO, you can’t go to business these days. You can’t transform digitally without control of your assets.”