Corporate culture and the profile of the CISO are key, over and above any arbitrary organisational consideration
It is astonishing to see the amount of interest still surrounding the reporting line of the CISO. The fact that it is still a topic of serious discussions amongst security professionals is teaching us a few things about the role and its perception: Is the role properly established, identified and accepted in organisations? or is it (still) seen as some form of arbitrary (and bureaucratic) imposition by regulators?
In theory, there should be no debate in the face of a constant avalanche of cyber security issues in the news. The need to protect the firm from cyber threats should be obvious for the Board. One Board member should own the problem and delegate the coordination and delivery of the necessary protective measures to one of their direct reports. Period.
At this point, there are several options available for the reporting line, depending on the cyber security challenges the firm is facing and its digital footprint. Those lead to different role profiles for the CISO which we have analysed in an earlier article.
The right reporting line is always the one that works and get things done, not an arbitrary one that creates barriers, engenders politics and hinders delivery (even if it ticks audit or compliance boxes).
In practice, however, things rarely work so simply. It is not uncommon to encounter problems of understanding at Board level around cyber security issues, leading to adverse prioritisation. Equally, there are often skills issues at Board level minus 1, leading the difficulties in appointing a CISO with the right profile for the role. Looking externally often fails (in particular in large firms) because of the intrinsically horizontal nature of the CISO role, and the need to understand how the firm really works in order to navigate across corporate silos, be credible and make things happen around security.
All this often leads to placing the CISO role by default in the portfolio of the CIO or the CTO, even if those are not Board members.
This is not a problem in itself, in particular in firms that have a strong technological bias, and there are many good ways to make this work efficiently, as we have suggested in the past.
Many security professionals who have an interest in this topic seem concerned with separation of duties issues, and the fact that conflicts of priorities may emerge between the CISO and their boss in those configurations.
It is true that CIOs and CTOs are coming under a lot of pressure in relation with the digital transformation and some may struggle to dedicate time, attention or priorities to security matters. But it does not make the option a bad one by itself.
Culture is key in all this, as well the personality and the gravitas of the individuals involved.
In today’s world, if a CIO or a CTO is not capable of prioritising in favour of cyber security matters in the face of constant incidents across all industry sectors, frankly it is likely that no-one in the firm will, and wherever you place the reporting line of the CISO, you will be encountering similar cultural issues. Those could be rooted in endemic short-termism, or very simply, in poor management or governance practices at the top.
But if the CIO or the CTO is cyber security aware and control-minded, then the CISO could become a very strong ally for them and help them forge a truly transformative vision.
Of course, the seniority and the gravitas of the individuals involved is essential. The CISO role is transversal and complex and needs to be given the right profile internally to attract the right senior professional. This is a role where real-life managerial experience is key to work autonomously, navigate around all pitfalls and fight the right political battles at the right time. All those aspects are probably more important than the raw technical skills.
This is not a job for a junior consultant, a junior IT executive or an ex auditor, irrespective of their potential. This is a hard job that requires an experienced pair of hands, with personal and political gravitas.
Issues around conflicts of priorities often emerge where both the CIO and the CISO lack that gravitas or political acumen: The CIO not willing to face the business over security issues, and the CISO not willing to confront the CIO over it. Those are not intrinsic issues that are inherent to the reporting line, but personal matters that relate to the managerial attitudes of those involved.
The CISO needs to be a credible field executive who really knows how the firm works, reporting to a control minded senior executive at Board level. Little else matters, and certainly not arbitrary separation of duties considerations.
Corix Partners is a Boutique Management Consultancy Firm, focused on assisting CIOs and other C-level executives in resolving Cyber Security Strategy, Organisation & Governance challenges.