Navigating the CISO Reporting Structure | Best Practices for Empowering Security Leaders
In the face of ever-increasing cyberattacks and data breaches, the need for experienced security professionals to helm security operations has risen as a top focus for many enterprise organizations. Chief Information Security Officers (CISOs) are now considered a critical role within senior leadership, but there are varied opinions on where they fit into the overall reporting structure.
As the role of a CISO has evolved, there have been many discussions about whom the CISO should report to. In most cases, a CISO generally reports to the Chief Information Officer (CIO); however, many argue that CISOs should not report to CIOs. This blog post explores ways that CIOs can better empower CISOs and help drive cybersecurity priorities within their organization.
Examining the Shared Journey Between Two Points
Let’s imagine an organization as a vehicle driving from point A to point B and beyond as they establish their brand, grow their customer base, and continuously scale up.
CIOs, in this analogy, are busy laying the road upon which the vehicle travels. They work to build the smoothest, most cost effective road allowing the “driver” – employees of the organization – to get to where they’re going faster than other “cars”. To do so, CIOs invest in leading edge technology that help employees work better and champion an ongoing process of digital transformation.
If the CIO is paving the way in this journey, the CISO makes sure that the vehicle is safe to operate, tuned, and regularly maintained to run without issue. A CISO’s objective is to ensure the vehicle can get to point B and beyond in a safe manner, protecting both the car and its driver from external dangers.
To achieve this, CISOs are responsible for building business-specific security policies, finding ways to reduce overall cyber risk, and building up cyber resilience through people, process, and the right technology.
Though CIOs and CISOs responsibilities are distinct, they share a similar objective: to enable the organization to grow and operate in a safe, streamlined way.
Role Relationships | How CIOs Can Enable CISOs
The role of CISOs has evolved in recent years to keep up with a rapidly changing threat landscape and moving goalposts dependent on an organization’s industry. Though traditionally this role has reported to a company’s CIO, some in the cyber community have questioned whether this drives or hinders an organization’s ability to prioritize cybersecurity needs.
The focus, however, should instead be on examining the key responsibilities of both roles, analyzing common conflicts of interest that arise between them, and finally, understanding how both CISOs and CIOs can work in tandem to enable business operations and cybersecurity.
Below, we examine three shared functional areas that each role manages differently and where there is room for alignment.
1. Managing Conflicting Priorities
Looking at the fundamental objectives of CIOs in contrast with CISOs, CIOs focus on enabling the business with a better customer experience, digital transformation, cost savings, IT efficiency, and seamless IT operations. CIOs are tasked with providing uninterrupted service to the organization’s employees to support continuous operations and sales.
On the other hand, a CISO’s job is centered around reducing the risk of unauthorized access, disruption, and maintaining the integrity of an organization’s implemented technology. For CISOs, it’s more about how securely data is stored, accessed, and transmitted.
For example, suppose a business user wishes to use a new application that enables them to complete their work in less time than before. The CIO office might approve this request as the intention is to cater to the business user’s needs. However, the CISO office would need to evaluate the risks spanning governance, access, data, and backups before approving this request.
The CIO office and the business user may push the CISO to approve the application. The example here showcases an application-level situation; at scale, it becomes apparent that the CIO’s decision would prevail over any CISO concerns.
Opportunities for Alignment
CISOs can be empowered when they are recognized as the voice of authority on security for the organization and collaborate as an equal to the CIO. Sharing knowledge, both CIOs and CISOs can identify areas needing improvement and work together to a common goal.
2. Understanding Budget Prioritization & Justifications
CISOs are responsible for mitigating risks brought about by legacy IT infrastructures and will often take additional measures to secure them. In organizations where the CISO reports into the CIO, the cybersecurity budget is a subset of the greater IT budget.
This situation creates a perception that security is expensive compared to IT infrastructure where, in reality, the expenses can be drawn back to the additional measures taken to mitigate the risks associated with the IT infrastructure.
For CIOs to better support CISOs, the budgetary distinction and separation from the IT department are essential for the following reasons:
- From a people perspective: Security training needs to be updated or modified based on the changes in the cyber threat landscape to ensure employees are able to recognize emerging phishing attacks.
- From a process perspective: There is a need for flexibility due to organizational priorities, market changes, or emerging cyberattacks. For example, changing risk appetites may suddenly highlight the need for an incident retainer.
- From a technology perspective: Due to global digitization and growing use of cloud applications, there is a need for new tools to better monitor and detect attacks in less time.
Opportunities for Alignment
Though a CISO may report into a CIO within an organization, senior leadership may choose to separate the IT budget from the cybersecurity budget. While the budgets are divided, it is critical for the CIO and CISO to work collaboratively, brainstorming to understand where they can align on business objectives to streamline expenses on both sides.
Further, CISOs reporting into CIOs can show the cost benefits of taking an offensive approach to an organization’s security. By sharing their expertise, a CISO can help CIOs build safer, more effective IT strategies and embed preventative security measures in every layer of the organization.
3. Prioritizing Business Risks
Without transparency and open communication between a CISO and CIO, preventative actions taken to ward off security incidents may be interpreted as a cost center, rather than a way to enable the business.
Moreover, CIOs that are not fully in tune with CISOs may not accurately represent data around cyber incidents to board members. Instead of reporting on how many times the security team responded to events, the narrative may focus on missed alerts or portray investment in new solutions as a cost center.
Opportunities for Alignment
CIO are positioned to understand security risks from a wide IT standpoint as they oversee relationships with vendors, contractors, and other service providers. When evaluating third-party risks, CIOs can supply CISOs with valuable intel about these relationships and help form realistic and achievable security standards.
A benefit of having a CISO reporting into a CIO is recognizing that usability and security are not at conflicting ends. In partnership, transparency and open collaboration between the two roles supports the goal of building cybersecurity hygiene. Security risks can then be evaluated and mitigated throughout an organization’s IT infrastructure.
Conclusion
A strong partnership between a CISO and CIO, regardless of reporting structure, maximizes an organization’s security and IT posture. The key here is that CIO and CISO must align on the business objectives of the organization. CIOs enabling the business through cutting edge technology can be effectively enabled and augmented by the work of a CISO.
Returning to our earlier analogy, if a vehicle isn’t safe to drive, it may not get very far even if the road ahead is a smooth one. Should the pathway be fraught with obstacles, even a well-tuned car would find the journey a difficult one. Working hand in hand, the business is able to take carefully calculated risks to gain long-term competitive advantage. The maximum value for CISO and CIO is derived when cybersecurity is treated as a strategic risk.
Across various industries, CISOs choose to partner with SentinelOne to accelerate their cyber defenses against advanced threats. SentinelOne offers two free eBooks, 90 Days | A CISO’s Journey to Impact – Define Your Role and 90 Days | A CISO’s Journey to Impact – How to Drive Success, as resources for CISOs working to implement best practices in their business. For in-depth expertise and guidance, contact us for more information or request a free demo.
Leave a Reply
Want to join the discussion?Feel free to contribute!