Much Ado About A CISO
Chief Information Security Officer (CISO) implies this individual should sit in the C-Suite, reporting directly to the CEO and Board of Directors. Guess what? That ain't happening! I know, ain't isn't proper grammar. However, I have friends in Tennessee who will appreciate it.
First off - What should a CISO do? They are charged with managing the information risk profile for an organization and providing recommendations on cyber security strategy, solutions, processes, programs, technology, and roadmaps to the CEO and Board of Directors. They should be uninfluenced by organizational hierarchy and unencumbered of any organizational reporting structure that could dilute their message. They are the Chief Advisor on all things related to information or cyber security.
What are they actually doing? Good question. Largely, just sitting in a figure-head position trying to push initiatives up a rope. Try it some time, not very easy!
Most CISO's report to the CIO or CFO which really makes them a Director. This really messes with the whole separation of duties concept. To illustrate: A CISO reports to a CIO. The CISO finds a vulnerability that hasn't been closed even though it has been identified through an audit. He/she brings it to the attention of the CIO who is responsible for the lack of action on the vulnerability in the first place. See where this is heading? The message from the CISO will get diluted since the CIO needs to ensure they do a little CYA. Another shout out to my dear Tennessee friends. More often than not, this CISO does not have interaction with the C-Suite or BoD since the CIO is the one responsible for reporting. Let's carry this example a little further - the vulnerability is exploited through a malware/phishing attack and a major data breach occurs. What happens next? I'll let your imagination work on this while I help the CISO find a new job.
So as I'm writing this piece, Home Depot announces they will put an IT and cyber specialist on their BoD. This plays very well into my tome. One would hope that this individual would lead an aggressive BoD-level approach to all things cyber. This would certainly give the CISO the podium to articulate the Information Risk message without dilution. Hopefully, this CISO reports to the CEO since the BoD appears postured for a more aggressive approach to managing cyber security. A little late (i.e. a barn door and horse reference come to mind) but, nonetheless, an important step.
I posit that a CISO that isn't part of the C-Suite and doesn't report directly to the CEO indicates a lack of maturity and understanding by senior leadership and the BoD of the potential impacts of a cyber attack or data breach. Better to fix it now before the horse leaves the barn through an open door.
KINDNESS INFLUENCER | EXECUTIVE PRODUCER - THE KINDNESS FACTOR | KEYNOTE SPEAKER| KINDNESS WORLDWIDE AMBASSADOR | AUTHOR | KINDNESS HABIT NEWSLETTER | LET'S CONNECT TODAY! | SCROLL DOWN TO FOLLOW MY POSTS.
7 年You have a great writing style that paints the pictures we've all got in our heads and have a challenge articulating. The idea of trying to "push initiatives up a rope" perfectly describes the situation not only many CISO's face but most Information Security Managers. How refreshing it would be if the C-Suite would be willing to read articles like yours and take positive actions as a result. Great insights. Thanks for sharing.
Executive Vice President, Healthcare & Life Sciences | Cyber Security
9 年"I posit that a CISO that isn't part of the C-Suite and doesn't report directly to the CEO indicates a lack of maturity and understanding by senior leadership and the BoD of the potential impacts of a cyber attack or data breach." THIS TIMES 1,000
Professional Services & Solutions at HICG (Healthcare Integration Consulting Group)
9 年Thanks for the content. I enjoyed the read and agree with you.