If we look at the headlines surrounding recent data breaches, we might conclude that the role of the chief information security officer (CISO) has never been more critical to the success and sustained well-being of an organization. As a by-product of this statement, we also might surmise that the information security organization and where it reports into is also important. This is probably why every recent CISO event includes a conversation about where the CISO and information security program should reside within an organization. The challenge is that however healthy the debate, the question about where the CISO and his/her department should report generally ends with, 'it depends'. To shift from a debate to productive action, maybe the question is not where should the CISO report into but why does it matter?
Frankly, it matters for a number of reasons, not the least of which is that the CISO (or head of information security) is now sharing the repercussions of data breach headlines along with the companies that they represent. This is a very troubling turn of events and why the topic of the role/reporting relationship of the CISO within an organization warrants further discussion and decisive action.
First, the discussion. The protection of information systems and data is integral to business operations, just like human resources and finance functions are foundational within most organizations. Additionally, just as human resources and finance executives are not responsible for the actions of every employee, the CISO is not responsible for the actions of every employee as it relates to information protection. In fact, just like other executives, CISOs are subject matter experts, who often interpret regulations, establish policy, influence employee behavior and monitor for appropriate outcomes.
Second, information security is not simply a technology problem. The National Association for Corporate Directors (NACD), provides very specific guidance stating that "cybersecurity is an enterprise-wide risk management issue, not just an IT issue." This is an important point as companies expand their portfolio of third parties that manage critical company systems and data (often by-passing internal IT departments).
Third, if the CISO continues to receive equal media billing alongside their company when there is a data security breach, the CISO should have the authority to affect change on par with the CFO, CIO and other key executives. This includes a direct line of sight to the CEO and board of directors, and command of a budget that spans outside of the IT realm into all areas of the organization where cyber risk is introduced.
Now, the call to action. As a profession, information security is relatively immature. There is no one size fits all job description or reporting structure. Even CIOs can have different reporting lines based on the company: CEO, CFO, CAO — to name a few possible bosses. Within the CISO community there are also differences in education, business and technical acumen.
Sign up for CIO Asia eNewsletters.