Discussion continues debating the “best” organization structure for supporting Chief Information Security Officers and their dual mission to mitigate cyber threat risk while maintaining a robustly compliant regulatory posture. All while enabling business services to continue conveniently between clients, partners and internal operations. Should the CISO report to the CEO? CFO? CIO? Some other officer?
To answer this question, we need answers to a few preliminary questions. Before we go there, let’s discuss the nature of security and cyber threat management.
As is often the case, threats and protections started out exclusively technical. Hackers wrote a virus that could make mischief, then exploited a technical vulnerability to gain access, and we are off to the races. Professional staff “combated” evil hackers as part of their general responsibility for networks, remote access, servers and so on. Vendors quickly realized that tools could be built and sold, first to respond to a virus attack, then to prevent it, then to monitor for any new threat vectors. These tools require dedicated technical staff to exploit and operate cyber threat technologies, staying vigilant to the next creative cyber-attack. Security is in IT and reports to the CIO. Disruptions are more about system availability, performance, and stability than data and financial activity.
Businesses become much more dependent on internet services for customer engagement, product delivery, and revenue. Hackers become interested in identity theft, fraud, and data ransom. Legislators notice, passing law and regulation requiring consumer protection and assigning accountability to the targets of cyber threat – corporations. Accountability includes public shame as laws require a compromised company to disclose breaches publicly. The nature and scale of security risk transitions from limited and temporary service disruptions to enterprise “black swan” events costing millions of dollars in future revenues, fines, fees and reputation damage that may be beyond repair. To further complicate things, cyber threat actors become well-funded and state-sponsored (upgraded from “hackers”!). They discover the best way around security controls is by using trusted user access – the most successful attack vector is no longer a direct attack, but internet enabled “social engineering” efforts to collect or compromise authorized credentials.
Cyber threat management is no longer exclusively a technical problem. Now it is a legal, operational, marketing, strategic and human resource problem. Of sufficient scale, impact and complexity that it deserves CEO and Board of Director scrutiny.
So, security and cyber threat mitigation, headed by a Chief Information Security Officer, cannot continue to report to the Chief Information Officer – it is more than technology, and a CIO might not recognize the business implications of risk in favor of other priorities. The CEO is ideal, after all, the Chief Executive is the only officer with sufficiently broad accountability to truly appreciate the importance to the enterprise and authority to provide necessary support. But this is a very complicated and arcane issue, better delegated to someone with the time and perspective to understand the decisions. Chief Legal Officer? After all, there is a risk of violating any number of laws and regulations. By this logic, General Counsel would run the company! Chief Marketing Officer? Any decisions made about security will impact the customer experience. A successful breach will require extensive customer support and communication effort. Chief Human Resource Officer? Any effective security program is going to include a significant security awareness program of training, privacy protection, physical and data security awareness. Chief Financial Officer? CFOs share very broad fiduciary accountability for enterprise performance with the CEO, often are Board members themselves and may be conversant with the issues as CIOs often report to them.
So how to decide? The best answer for any enterprise is likely to change over time, reflecting progress to date, current situation, and key exposures. Security and cyber threat programs will always require close partnership and some shared accountability between the CIO and CISO. Security cannot shut down access. IT cannot expose systems to threats. Any sound answer to security governance must include a well-designed and understood element of mutual accountability by both parties. Often the CFO, COO or CEO is already engaged in CIO governance. Setting up a three-way operating relationship can work with the CISO as a peer or a subordinate to the CIO. But it is crucial that the CISO is confident in their ability to speak candidly and independently about security needs.
If the immediate focus is on regulatory compliance, reporting to the General Counsel could make sense. An HR or Operating executive might be a sound choice particularly if security programs anticipate the focus on changing employee awareness and building compliance but are otherwise well established and mature.
In each case, there is a risk of CISO governance becoming narrowly focused on those aspects of cyber threat management that are the domain of the governing executive.
So, to the questions:
How implemented are the technical aspects of security today? What is the relationship of the CIO and CISO now?
What are the near-term risk management objectives for cyber threat management? Can CISO governance support achievement or will an adjusted organization structure help provide alignment of accountability, support, and advocacy?
Will a reporting relationship change broaden and deepen the CISO and security team’s appreciation of some facet of security not well understood?
Will a proposed structure support CEO and Board periodic oversight?
Will the structure provide the CISO with a governing partner that recognizes the importance of security while providing context and a broader view of business implications to the enterprise?
Can the structure help assure and sustain access to financial, leadership support and other assets necessary to development and maintenance of a healthy cyber threat management program?
Undoubtedly, the answers to these questions will evolve, reporting relationships must be revisited at least annually or when changes to executive assignments are being made.
In any case, security functions require robust, cyclical, transparent operating and oversight processes. An operating governance committee should meet at least monthly to keep up with threat evaluations, program operations, project goals and progress, coordination with partners (IT, Internal Audit, Legal, Operations, Training, and others). A quarterly review with executive stakeholders is a good idea, copying them on minutes from the monthly meetings. The lead executive should be sure to keep the CEO up to date if not engaged in the quarterly review. Internal Audit should update the Board Audit committee on their quarterly evaluation of security/cyber threat program direction and operations. Security and cyber threat evaluations should be included in the Enterprise Risk Management program, which enables these risks to be understood and appreciated in the context of broader enterprise risk.
The CISO should have direct exposure to the Board, providing at least a yearly update on threats, programs, operations, investments, goals, and projects. The Board must be aware that this is a risk area that cannot be resolved, requiring constant vigilance and investment as threats can and do evolve rapidly. Avoid any declaration of safety, even in the face of close questioning. No enterprise is safe from compromise if the threat actor is well funded and determined.
How prepared is your Board of Directors for cyber threat governance? Are you prepared to deal with cyber event? Confident in current programs, structures and governance? Contact BrightWork Advisory, LLC to discuss a cyber threat engagement.