Corporate cyber chiefs are high in demand, but many still report into chief information officers (CIOs). With cyber threats on the rise, some security leaders want greater clout.
Chief information security officers (CISOs) are earning more than ever as demand for qualified security leaders pushes up salaries. However, many still work under IT leaders, usually CIOs, largely because security professionals have a technical background and this fits naturally under the CIO remit.
But with cyber threats increasing in frequency, scale and sophistication, some security leaders are no longer interested in a C-suite role where they’re merely a branch of the IT team, and fear they lack the agency they need to really make a difference.
So how can CIOs best manage this relationship and deal with any potential tension?
“The best thing the CIO can do is use the strength of their seat to empower and support the perception of the CISO role across the company,” says Joanna Burkey, CISO at HP Inc. “In the best relationships, the CIO is 100% supportive of the CISO and maintains a strong, united front on security topics. There might be healthy debate in the background, but that is handled appropriately and privately.”
Paul Shaw, group security officer at media and digital marketing communications company Dentsu, says CISOs that are unable to engage peers or secure budget often blame reporting lines and assume they would be more successful if they reported into the CEO.
“My belief is such a move is not the solution; those companies either have the wrong person in the CISO role, or the wrong person in the executive team position they are reporting to,” he says. “I don’t think it is wrong to have the CISO reporting into the most senior IT/Technology role as long as that person has the right breadth of responsibility and is a member of the executive leadership team.”
Indeed, says Shaw: “If the CIO does not understand the importance of security and is not invested in supporting a security agenda, the company has the wrong CIO. Equally, if the CISO does not understand the commercial realities of the business and the balancing act the CIO needs to do with budgets and resources, the company has the wrong CISO.”
But as long as the roles are held by mature individuals, it’s just the same as any other relationship, Shaw notes, with the same desire for mutual success.
Showing empathy
Sharon Mandell, CIO at technology firm Juniper Networks, believes CIOs need to empathise with senior cyber executives.
“Be supportive because they have it at least as tough as you do,” she says. “In IT we often think we have the impossible job, but the reality is it’s even more challenging right now to be the CISO. They have nation states, criminal rings and a billion dollar plus industry – ransomware – aimed at making them fail,” she says.
Mandell says the CIO must not only support the CISO in one-on-one settings, but help the broader organisation understand the challenges they face. “The CIO should be making it clear that security is everyone’s responsibility, not just the CISO’s or the security team’s,” she says.
Crucially, Mandell says that while Juniper Networks’ CISO reports to her, when it comes to matters of security, she works for the CISO, not the other way around.
The CEO must be confident that their CIO is transparent about what is going on underneath them, can live with the implications that the organisation might face if something goes wrong and will own the responsibility if it does.
“If the CEO can’t get that confidence, they should have the role report somewhere else.”
A change of reporting?
So could it be in the CIO’s best interest – and the best interests of the company – to allow complete agency for the CISO?
In many ways, the particular setup doesn’t really matter, says Duncan Brown, vice-president of European Enterprise Research, IDC. What is increasingly important, he says, is that security – and cyber threats in particular – are given the visibility and priority they deserve.
“If the CIO can provide this and garner board level support, then the relationship should work just fine. Equally, if that support can be provided by another senior executive, such as a head of risk or chief operating officer, then again this should work.”
Brown says the obvious solution is for the CISOs themselves to report at board level. But while we’re seeing more examples of this, it’s still far from common practice.
“Security is largely a technical subject and explaining it to board level executives requires a particular set of communication skills that many security professionals do not have,” he explains. “In addition, it requires an understanding of the business impact of security threats, rather than a focus on the threats themselves.”
Organisational hierarchy is less important than ensuring the CISO has the appropriate platform in the company, Burkey argues.
“If the company culture is such that the CISO isn’t listened to or is not allowed to work out of the ‘IT boundaries’, there are some fundamental issues at play that need to be better understood and accepted, without the assumption that ‘just’ a reporting change would fix them,” she says.
Like any working relationship, there is nothing unique about this potential conflict. The goal is empowering professionals to work together to embed security through their organisation. This is a shared responsibility – with a shared focus on the business – where each knows the important role they play.