CISO Reporting Line: Your CISO should not report to the CIO or the COO or the CFO…here’s my rant as to why it’s bad Joo Joo!
accountability article 25 article 28 article 35 awareness bcms BeCyberSafe breach british airways ciso contracts controller cybersecurity data breach data privacy Data Protection dataprotection data protection officer data protection service DPIA DPO encryption GDPR iag informationsecurity information security leadership management penetration testing Pentest Privacy processor resilience risk risk appetite risk management riskmanagement security security as a service small business strategic transparency vciso virtual ciso vulnerability scanning
It’s August 2019 (where has the year gone?!) and we’re still discussing – quite regularly – where the Chief Information Security Officer (CISO) should sit in an organisation. Just this morning in my newsfeed was an article with some pretty weak pros and cons as to where the CISO could report but didn’t come to any actual conclusion as to which reporting line was most appropriate. The topic is also discussed in Chris Hodson’s Cyber Risk Management (Chapter 5, Security Function, Horizontal or Vertical, Where to Report) too. Whilst I disagree with Chris’s premise the vCISO isn’t saving the world (we definitely are!!), I did like the idea of being a Sherlock Holmes CISO. But, more importantly, I strongly agree with the following statement from Chris:
“the CISO should report into an executive who is most likely to care about the issues being raised’
Now the thing is, all executives should care about the issues the CISO is raising. It’s a Director’s fiduciary duty under the Companies Act 2006 (for those outside the UK you will no doubt have an equivalent) to exercise reasonable care, skill, and diligence and a duty to promote the success of the company for the benefit of its members as a whole. It would, therefore, be challenging for any company Director (or NED) not to care about the issues the CISO is raising whilst, at the same time, be able to demonstrate they are acting out their fiduciary duties. Let’s face it, pretty much every company these days relies on technology and data to support their organisation’s objectives. Be that your customer’s data (yes, it’s still their data) or financial data, or other management information that helps you run a profitable business. So as systems and data are a cornerstone of your business, Directors must care about the issues the CISO is raising.
The fact we’re still discussing the best place got me thinking about whether the question that really needs to be asked (and answered) is:
“What is the CISO’s purpose?”
The answer to this question should finally put to bed the reason why the CISO should never live in IT, and should never report into the CIO or the COO or the CFO.
CISO Reporting Line: So what is the CISO’s purpose?
The Chief Information Security Officer (CISO) is:
“The executive responsible for ensuring the security of an organisation’s information systems and data remains within the organisation’s risk appetite.”
Whether the information systems and data be managed by in-house resources, or by a third party, the CISO must ensure they are secure. Whether the organisation is a micro-business or a major conglomerate, the CISO must ensure security is effective.
So…let’s break that purpose down into its component parts…
CISO Reporting Line: Executive Responsible
The word executive is used because this is a whole-of-organisation role requiring the authority to act across the whole organisation. The CISO must have the power to review any business line process, data, vendor, people or system. HR to Sales, Front, Middle and Back offices. The shop floor or the warehouse. The hotel front desk or the IT service desk. The call centre or the data centre. If HR is using a cloud-based HRIS which is not managed by IT – that vendor, that system and that data are in the CISO’s scope. If the warehouse staff are using a labelling system to place customer address labels on packages – that system and that personal data are in the CISO’s scope. If the sales team are storing leads in a spreadsheet on their desktop (hopefully not) then that data, that laptop, and the supporting processes are in the CISO’s scope. The CISO’s scope is not just IT – especially when IT often doesn’t manage all the IT in their organisation.
The word responsible is because they have a responsibility to the Board, their fellow executives, and the shareholders to carry out their duties in the best interests of the organisation (even if they aren’t necessarily a Director). It’s also worth noting that whilst the CISO is responsible, the senior management team and the Board are still accountable for their decisions and those decisions should, of course, be taken with an understanding of the related risks.
Without the appropriate autonomy, seniority and resources, it is not possible for the CISO to be responsible for anything. If the CISO is not able to interact with the members of the senior management team, how can the senior management realistically make informed decisions about information security risks…the short answer – they can’t!
CISO Reporting Line : Ensuring Security
The CISO must have access to the information they need to perform this duty. If the CISO wants one of his team to attend the weekly Change Meeting (CAB) then there should be no barriers. If a CISO has an issue with a particular system implementation there must be no conflict arising from a challenge. The CISO should also have access to the information the CIO, COO and CFO are providing to the Board where it could affect security. If the CIO wants to migrate the entire Data Centre to the cloud to improve service delivery, the CISO should be able to objectively endorse or challenge the CIO’s plan. If the COO wants to outsource a business process, again the CISO must be able to highlight the potential risks without fear of a poor performance review. If the CFO wants to make the service desk team redundant and get in a managed service so as to save money, the CISO must be able to highlight the technical debt (this will be the subject of another article very soon!) that the company will take on in the process.
A CISO simply cannot ensure security if they are in a position which presents a clear conflict of interest. In reporting to each of the CIO, CFO and COO roles, conflicts will inevitably arise between the CISO and their Line Manager. A CISO must be able to act independently to the CIO, COO or CFO and so they can’t be the CISO line manager.
CISO Reporting Line : Within Risk Appetite
A CISO must understand the organisation from a risk management perspective. The CISO is not there to determine what risks an organisation should (or should not) take but to make it clear to the decision-makers the potential risks associated with their decisions so those decisions are informed. When looking again at the Companies Act 2006, there are some key things that Directors should consider when making an informed decision:
- The potential long-term consequences for the company
- The interests of employees
- Maintaining the company’s good business reputation
- The need to promote good relationships with suppliers and customers
- The company’s impact on the environment and local community
Additionally, Directors also have a duty to exercise independent judgement. By placing a CISO underneath the CIO, COO or CFO an organisation senior management team is hampering themselves from being able to objectively understand the consequences of their decisions and exercise independent judgement. This is because the CISO’s message could be distorted depending on the motivations of the CIO, COO or CFO should there be a disagreement in approach.
So you see, again, a CISO cannot sit in IT, reporting to the CIO. They can’t sit under the COO, and they can’t sit under the CFO either!
CISO Reporting Line: But they need to be in IT as that’s where it’s all happening…
I hear this all the time. Even from some CISOs. How are we supposed to ensure security if we don’t know what’s going on in IT? They cry CISOs can’t manage the risk if they sit outside IT because they would be too far removed from the coalface.
I agree that a lot of information security risk is as a result of information systems and those systems are, in the most part, managed by IT. The things is, the CISO does not need to be a part of IT to ensure security but they do need to be a customer of IT. If the marketing team want Management Information (MI) about who is using the company website, IT provides the information. If finance needs a market data feed, again, go to IT. The CISO should also be requesting information in the same way. Not just from IT about IT but data about the whole organisation. The CISO then needs to use that information effectively – which is outside of the scope of this rant!
The CIO should be responsible for delivering a Security Operations (SecOps) capability that is aligned to risk appetite but the CISO should not head that team. The CISO should instead be a customer of the data the SecOps capability provide. If the CISO is heading up that team then they can’t provide independent objective assurance to the Board that the organisation is secure because they would be essentially marking their own homework. The CISO can’t write and define policies to articulate the Board’s risk appetite and then implement those controls for the same reason.
Another thing I hear regularly is:
“This is a technology company, so it makes sense to sit within IT”
I don’t know how true it actually is but someone once told me that HSBC has more developers than Microsoft. Does that make HSBC a technology company – absolutely not. Does being a technology company have any bearing at all on where the CISO should sit – I would say yes. But only to say that being a technology firm makes it even more important for the CISO to sit outside IT. If your organisation’s sole purpose is to deliver technology solutions, it’s likely there is going to be significant pressure to deliver fast. If the CISO sits within the IT function then there is going to be equally significant pressure on the CISO to make delivery obstacle-free. There will be pressure from the CIO, the COO and the CFO to just say everything is fine.
In my time as an infosec professional, I have conducted hundreds of third-party security reviews. It has never ceased to amaze me how often I have seen a vendor risk report on a key product which has reclassified external penetration test results (originally classified as Critical) down to ‘Low Risk’ before they get presented to the client. This is usually with absolutely no rationale as to why it has been reclassified (other than what appears to be a subjective assessment by someone in the IT department completely unsupported by any risk management methodology). This often happens as a result of a feeling by internal information security professionals within IT to make things look rosy when they probably know they aren’t. When a CISO sits outside IT, there is a materially reduced risk of this type of thing happening…and the CEO will most likely be a technologist anyway so should be more than comfortable understanding what the CISO is going on about.
I also hear this quite a lot too:
“Cybersecurity is full of complex technical issues, we [the leadership team] don’t understand them. The CIO understands so the CISO should report to the CIO who can translate all the techno-mumbo-jumbo for us”
There is a great quote often attributed to Albert Einstein:
“If you can’t explain it simply, you don’t understand it well enough”
If a senior leadership team thinks that cybersecurity is complex then the CISO is not doing their job properly. A CISO cannot help their organisation’s leadership team make an informed decision if the information they are providing is full of impenetrable jargon and complexity. Take the following:
“Host GBDWPROD01 is exposed to CVE-2017-15295 and needs patching ASAP.”
The above should never be presented to the senior management team but there are times when a decision could have a significant impact and need senior management approval. The same statement could be easily simplified to:
The database server containing all our customer data is exposed to a serious vulnerability which requires an immediate fix. The fix requires the server to be offline for 60mins. Customers may be affected during this time. The change can’t be implemented out-of-hours due to the need for full technical support should the change fail. Impact could be significant if the fix is not implemented ASAP as other organisations have already been affected.
Whilst more verbose than the first statement, the risk is now clearly articulated to a non-technical audience which therefore helps such a non-technical executive make an informed decision. After all, they will be accountable if their customers’ data is compromised. Now consider a situation where the CIO has an uptime or revenue Key Performance Indicator (KPI) and the downtime is going to negatively impact these KPIs. The CIO might be sufficiently motivated to suppress this information and push the change into the next reporting period. This wouldn’t be acting in the best interests of the company. By having the CISO as a counter-balance to the CIO, these kinds of scenarios can be avoided putting the focus on what is best for the organisation over the individual.
Similarly, the CISO can’t ensure security if their message is not passed on because the CIO, COO or CFO doesn’t feel comfortable explaining the issue. If a CISO is worth their salt they shouldn’t need a CIO to act as a translator, they should be able to explain any complex security issue into words a non-technical senior manager can understand. Notwithstanding the CISO should be able to simplify complex issues, it is doing senior management a disservice to assume they are not capable of understanding information security issues – have you sat through a Board discussion on credit, liquidity or market risk? If a Board can understand VaR, they can absolutely understand Information Security! It is also doing the senior management team a further disservice by preventing them from asking questions and getting an objective response. A CIO’s appraisal of risk may be significantly different from the CISOs appraisal. The rest of the management team need to be aware of both points of view before signing off on a potentially disastrous initiative simply because the CIO says it’s ok – that CIO may not be with the company when the wheels eventually fall off!
So what is the ideal CISO reporting line?
The CISO reporting line must be to one of two people. The Chief Risk Officer (CRO) or equivalent if the role sits on the senior management team. If there is no CRO then the CISO should report to the CEO directly.
Reporting to the CRO means the risk messages should be effectively delivered into the senior leadership team and the Board. Cyber Security and Information Security Risks may be lower down the pecking order than other risks the business is facing and whilst that may be frustrating to some InfoSec hardliners, InfoSec is not the only risk a business faces so it would not be objective to give it more weight than it should. If the CISO has done their job properly, the CRO should be well briefed to answer any pertinent questions the Board has without any compromise in terms of also owning the risks highlighted. This, of course, would not be the case for the CIO, COO or CFO as previously highlighted.
Some organisations may not have a risk management function. In those cases, it’s probably unlikely there will be a CISO anyway. Organisations which are smaller in size should instead consider a virtual CISO, this virtual CISO would then report directly to the CEO whilst internal Security Operations staff, reporting into the IT function focus on the day-to-day work of keeping the organisation secure. It’s the only realistic way to ensure the senior leadership of such organisations can get genuine assurance.
About the Author:
Stephen Massey is the Managing Director of Fox Red Risk, a boutique Cyber Security and Data Protection consultancy, which in addition to offering training and consultancy, provides a Security Advisory Service for CISOs a vCISO service for Non-CISOs and Data Protection as a Service. Stephen has also authored the popular book “The Ultimate GDPR Practitioner Guide” which is available on Amazon in both paperback and Kindle eBook
About Fox Red Risk:
Fox Red Risk is a boutique data protection and cybersecurity consultancy which, amongst other things, helps client organisations with educating their senior management teams about cybersecurity risks such as those described in this article. Call us on 020 8242 6047 or contact us via the website to discuss your needs.