Pundits scrutinizing senior executive dynamics have opined for years about to whom the CISO should report. Some say the CISO should report to only the CIO because the top security role is inextricably linked to IT. Others say this is a terrible idea because the CISO's must lock down the corporate network while the CIO is challenged to innovate. A CISO panel convened at the MIT Sloan CIO Symposium last month rekindled this longstanding C-suite debate.
MIT professor and panel moderator Stuart Madnick asked the CISOs to whom they believed they should report. State Street CISO Mark Morrison suggested that the common model of security chiefs reporting to IT leaders is no longer tenable. "I think there needs to be some independence of the CISO from the IT organization,” said Morrison, who provides information security for a financial services company with $30 trillion under custody.
Cybersecurity fears have CISO role under heavy scrutiny
Corporate boards have made it their business to become well-versed in cybersecurity, following an onslaught of hack attacks, breaches and other pernicious scams. Boards are calling for CISOs to join the CIO to provide joint updates, ostensibly in the interest of better governance and oversight. The increased focus on corporate defense is making it harder for CISOs who report to CIOs to do their jobs, raising the possibility that it might be time to rethink to security chiefs reporting structure -- at least according Morrison and some of his panel peers.
Morrison has dual reporting lines to CIO Antoine Shagoury and the board, whose technology committee he meets with nine times a year, accompanied by the CIO. Inevitably the board asks Morrison to report on cyber risk, including what additional tools they should invest in to improve protection. That’s when things start to get dicey as the board asks him if he’s getting enough support and money to do everything he needs to do. Sitting next to his CIO, “it’s hard to give a very honest answer to that [question],” Morrison said.
The tension ratchets up when Morrison outlines the company’s vulnerabilities and the board asks him why he isn't "moving faster" to fix them. "My response is, that is not a question for me to answer that's a question for the CIO because I'm not responsible for patching -- that's the operational element,” Morrison said. “So we run into a lot of these conflicts that don't really get resolved."
Sam Phillips, panelist and CISO for Samsung Business Services, said that it can be tough for CISOs to get the money, talent or other necessary resources to drive security programs while working under the CIO. "The CISO should be an independent body doing governance, risk and compliance in addition to validation and implementation of the security program," Phillips said. He suggested CISO might be better off reporting to chief legal or chief risk officers, who report to audit and board committees.
Sign up for CIO Asia eNewsletters.