Why the CIO should remain under IT
Despite all the heady talk about GRC, CISOs still toil in a highly technical role; those who seek and win independence from IT risk sacrificing credibility with their peers. Shumard and Associates principal consultant Craig Shumard told CIO.com that the CISO is better placed in the IT organization than not because as much as 80 percent of the role is technical in nature.
"It's a lot easier to get the attention, support and respect of IT people when you're in the IT organization," said Shumard, who maintained both operations and governance control while working for four CIOs during a 10-year career as CISO of insurance provider Cigna. "CISOs reporting to a CIO have both an operational as well as a governance responsibility and that makes them much more effective."
Craig Shumard, principal consultant at Shumard and Associates.
Having operational and governance control over cybersecurity afforded Shumard the latitude to be creative. He says he gave each business unit, including IT, security scorecards to rate how they were performing. "When those score cards came out and the senior management saw them, it wasn't me responding to why patches weren't done, it was the people who owned it," Shumard says.
Indeed, not every CISO on the MIT panel said reporting to IT presents a conflict of interest. Roota Almeida, head of information security for Delta Dental of New Jersey says she has reported to CIOs in two of her CISO jobs, including her current position. But she said that organizational culture dictates whether the CISO-CIO reporting structure works. "In a different industry, a different organization, maybe I should be reporting to the chief legal officer," Almeida said.
Changing dynamics across many industries may render the discussion moot.
With breaches continuing at a rapid clip and the attack surface widening thanks to the Internet of Things, cybersecurity will increasingly be shunted away from IT, predicted R. David Moon, CEO of incident response consultancy TriPath Media. He said companies must bolster their defenses without overburdening IT departments. That creates more opportunities for CISOs to grab governance and operational oversight while freeing the CIO to focus on innovation. “We don’t see a lot of CIOs who want to be responsible for the GPS’ in truck fleets, or smart doors and thermostats,” Moon said.
Sign up for CIO Asia eNewsletters.