Our view – built on years of direct field experience – is that the reporting line of the CISO has to be at board level and must be driven by clear underlying objectives shared unambiguously by the CISO and their boss – whoever that happens to be in the organisation.
It could be a need to increase cyber security maturity. It could be a need to demonstrate compliance to regulators. It could be a need to demonstrate to shareholders that the right things are being done following a data breach. It could be all of the above … But in all cases, the boss has to be prepared and willing to throw their weight into the battle unambiguously and consistently.
In an ideal world, it’s their boss’ flawless commitment to cyber security values that the CISO does leverage on to drive change, coupled with their own gravitas, political astuteness and management acumen.
In our opinion, this articulation is the strongest to deliver lasting change, and is considerably stronger than multiple reporting lines or dotted lines, often aimed at avoiding perceived “conflicts of interest” but in practice poorly understood and highly vulnerable to internal politics.
However, it is also a construction which is coming under pressure in many firms when it comes to the relationship between the CIO and the CISO. And it is as a direct result of the pressure being applied to CIOs by executive management to deliver “digital transformation”.
Many CIOs struggle – frankly – with such pressure. One day, they are told – by auditors or regulators – to focus on getting the basics right and keep legacy systems going. The next, they are told – by their board – to be more “agile”, to work faster and to “do digital”. And they have to square that circle with the teams they have – not necessarily best equipped in terms of skills – and often at the back end of several years of cost-cutting that might have introduced dysfunctional offshoring arrangements and opened the door to countless “shadow IT” situations within the business.
Where does cyber security fit in all this? Very often, the answer is quite obvious: It doesn’t … until something goes wrong.
And it is exactly in this context that maintaining a reporting line to the CIO is increasingly a problem for the CISO. If the CIO is no longer able to prioritise cyber security all the time towards the top of the list because of the pressure of the “digital transformation”, then the reporting line of the CISO must shift to another board member who can. And quickly.
This is a very serious matter because – precisely – the “digital transformation” itself is introducing at a very fast pace countless new cyber security issues – from customer data privacy considerations to the security of IoT devices. Those are best addressed from the start instead of retrofitted later. A strong CISO is key at times like these and can be an essential part to engineering cyber security as a competitive advantage. But they need to be highly visible in the organisation and backed unambiguously by a board member who cares
Corix Partners is a Boutique Management Consultancy Firm, focused on assisting CIOs and other C-level executives in resolving Security Strategy, Organisation & Governance challenges.