Ten years ago, merely 43 percent of organizations employed a Chief Information Security Officer or equivalent. Between 2006 and now, there has been an explosion of data breaches plaguing every type of business and sector. Sadly enough, often times it’s only after a data breach that an organization appointments someone to fill this role, after financial and reputational damage has taken hold. Despite all the buzz surrounding data breaches, a PWC report cites a mere 54 percent of organizations as having a CISO on staff. All leaders, for the most part, would tout the importance of security, but clearly there is still a void.
For those businesses which do have a security officer, that is a great first step, but it doesn’t even begin to solve the security crises. Without the right governance and support structure, filling this role is more of a liability for both the individual and the organization. Who the CISO reports to will make or break the effectiveness of the role.
Over the past few years, much debate has centered on whether the CISO should report to any of the following common reporting lines: the CIO, CFO, Compliance, CEO or the Board. Unfortunately, there’s no simple answer. Even with the best of intentions, it’s all about the people who occupy those management positions. Whenever a CISO reports outside the IT Business Unit, there may be a greater edge on garnering budget and success surrounding strategic and tactical decisions. The reality, though, is that in these cases, they’re often seen as an outsider and kept at arm’s length, much like Internal Audit.
Since there are so many variables one is unable to dictate — reporting structure being one of the most common challenges — it’s vital that the CISO position him/herself as a leader who is far removed from the perceived roadblock of the past, and as an individual who empowers the business via innovative input in lockstep with the missions and goals of the organization.
Most CISOs find themselves reporting to the CIO. Therefore, there is much competition with the rest of the business unit around resources, people, and technology. No matter what the character or style of the CIO, the CISO must accept the reality that success depends on winning people over. Traditionally, security professionals have worked in areas typically inaccessible by most employees and rarely associated with anyone outside the team. This has to change. It’s not about wasting time with empty socializing, but about facilitating tactical yet causal interactions that serve as learning opportunities to garner a culture of security empowerment and awareness throughout the organization. It also means substantial efforts to educate the CIO and top-tier leadership, including the board, on the merits of the security program. None of this happens overnight, and it requires constant effort to stay relevant.
The good news is that most CISOs have been invited to the table at the board level and are part of business decisions on the front end. A word of caution: to stay on the invitation list requires not only articulating controls and expenditures efficiently, but an understanding of the business process and willingness of think outside the box. It’s not about being a bobble head and saying “yes” when clearly that’s the wrong decision. It’s all about finding alternatives that are security centric while also enabling the organization to follow through with its roadmap.
It’s not always easy to straddle both sides, but the payoff to being on the inside of all business decisions is essential. If the CISO is excluded as the traditional roadblock, they will constantly be missing critical pieces of the puzzle, putting the organization at further risk. It’s a vicious cycle.
With all of these challenges, how does even the most exceptional security leader begin to generate success for their team and the organization as a whole?
This series will discuss critical characteristics of the CISO role and important strategies and tools that will help foster the competitive edge needed by every organization to have a fighting chance in this climate of cyberattacks. All organizations are a target, no matter the line of business or the size. Criminals are motivated by any number of variables, and it’s time we got serious about security, not just because we say we’re serious about it.
In upcoming posts, I will address a number of topics relating to cybersecurity, including how to build an arsenal to withstand attacks, how to build a culture of security consciousness, and how to position it as part of your strategy without compromising other initiatives.