Paul Connelly has been in the Information Security field since starting his career at the National Security Agency in 1984. He was the first Information Security Officer at the White House, where he served under three Presidents. He was also a partner leading a regional cybersecurity consulting team at PricewaterhouseCoopers for six years. He retired in April 2023 from HCA Healthcare, the largest private sector healthcare provider in the US after twenty years as their Chief Information Security Officer. He now serves as a technical advisor, educator, and board member.
Cyberattacks are shutting down critical systems and operations across all industries, and organizations are paying tens of millions of dollars for defenses and insurance, and potentially 10X or more if they have breaches. Given this immense risk, organizations need to look at every lever at their disposal to optimize their cybersecurity program. Changing the reporting structure of the Chief Information Security Officer (CISO) may provide a low-cost opportunity for significant improvement.
The most common and traditional reporting of the CISO position has been to the head of IT/CIO. In some cases, the CISO may report to the head of Compliance. These reporting structures have been the historical standards, as cybersecurity was primarily focused on IT infrastructure and compliance, and the CISO was in middle management. CISOs tend to be heads-down focusing on the people, processes, and technologies that make up the bread and butter of their programs, and their reporting structure may be taken as a given and politically risky to challenge. So – these reporting lines made sense in the past, and for many reasons, including inertia needed to change, they have tended to stay that way.
Do legacy reporting lines make sense in today’s high risk environment? Business risks in cybersecurity drive the need for the modern CISO to have greater engagement across the organization than in the past. Around the world, regulatory bodies are making it clear – top leadership needs to be directly engaged in cybersecurity, boards are being pushed to add cybersecurity expertise, and it is not just an IT or compliance issue or something to be buried under layers of management. Organizations should look to maximize the effectiveness of their CISO, commensurate with today’s level of risk and focus.
Success factors for the modern CISO include –
- Resources: Having the right people and technology.
- Visibility: Being positioned to see what is happening day-to-day and have early warning of what is coming around the corner in the business; and to be seen by business leaders and the workforce.
- Voice: Unfettered ability to interact with top leadership, business units, the workforce, and even the board. A CISO may have to call “All hands on-deck” or raise a risk with a key business initiative, and they need backing from senior leadership and the board to give that voice credibility.
- Partnership: Working with business leaders who understand and “own” their part of the cybersecurity risk.
- Decisions made at the top: Decisions on cybersecurity budget, staffing, and resolution of risks should be made at the CEO’s senior leadership table, not within IT or another business unit.
The right reporting structure can boost all of these CISO success factors. The ideal scenario is to move the CISO out from under layers of management, make them a business leader at the senior table, and enable them to directly present the risks, program strategy, issues, and resource requests to top leadership and the board. In most organizations, this means reporting to the CEO, CFO, COO, or Chief Risk Officer.
How and why this change can help
CIOs and Compliance executives that oversee CISOs in legacy reporting structures have broad and expanding spans of responsibility and are likely not cybersecurity experts. These leadership roles require different skills and background, have different goals, and are rewarded for different things than the CISO.
The CISO must partner with all business units and leaders and connect with every single person in the enterprise to be effective, so visibility and positioning in the organizational structure matters. Perhaps most important, the CISO must provide an independent view of technology and business risks to top leadership and the board. There may be times when there is “healthy conflict” with the CIO or other business leaders. This access and independence can be difficult and even squelched if the CISO is a level or more down in the organization and reports to anyone other than the CEO, CFO, COO, or CRO.
Having the CISO at the senior leadership table helps top leadership be directly connected and involved – no more intermediary speaking on behalf of the CISO. They hear the perspectives of both the CIO and other business leaders and the CISO on critical points, and they are the decision-makers.
Summary
There is no one right model that fits all situations, and this may not even be feasible in organizations where the resource pool is small and staff must wear multiple hats.
If your organization could potentially benefit from this change, the first step is for the CISO to define and elaborate the pros and cons and the allocation of responsibilities. Then have a transparent and thoughtful conversation with the business leader where the CISO reports today and develop a plan to jointly discuss with your CEO.
A last point – for this to work, the CISO needs to up his/her game and earn their place at the senior leadership table. They need to come out of the SOC (Security Operations Center) and have the executive presence and communications skills needed to stand on their own, compete for scarce resources, develop partnerships, have the business acumen to speak about risks, and make the case for cybersecurity.
My prior organization, which is a Fortune 100 company, went through this analysis ten years ago and moved Information Security out of IT, and eventually to a spot at the senior leadership table. That was a game-changer for our program’s visibility, access, and effectiveness. At a time when we are all searching for every edge for our cybersecurity defenses, this is an out-of-the-box concept that warrants consideration.