Should The CISO Report to the CIO?

TL;DR: It matters less about the title and more about the individual and how you manage your relationship with your key stakeholders; focus your energies on shared outcomes, not titles.

For some time, the cybersecurity community has discussed and debated the role of the CISO and to whom they should report. Although a bit dated, this quote from Security Intelligence sums up the sentiment I've heard quite well: "When the CIO has incentives tied to output, security often takes a backseat. This puts the CISO, and the organization as a whole, in jeopardy. The CISO who reports to the CIO has no control over decisions that impact security risk. Having a CISO as a peer to the CIO alleviates this conflict of interest."[1] Additionally, I thought Cisco's perspective summed similar perspectives well (even if the quote contradicts itself - more on that later) "If overall risk management – including financial, programmatic, human, facilities, and information technology – is embedded into the very soul and culture of the organization, with risk appetite and risk tolerance decisions continuously on the radar of the senior executives and the board of directors, then the CISO cannot realistically be buried under the CIO" [2] While these are certainly possible outcomes, I fundamentally disagree that the conflict of interest exists simply because of the individual's role or title; in my experience, it comes down to the individual and how they view, manage, and communicate risk - true for both the CIO and the CISO.

I've been in the cybersecurity industry for over 25 years and have been a CISO at multiple large publicly traded companies for more than ten of those years. During my tenure as a CISO, I have reported to the Chief Legal Officer, the Chief Human Resources Officer, the Head of Physical Security, the Chief Financial Officer, and the Chief Information Officer on more than one occasion. Through each varying reporting relationship, there have certainly been pluses and minuses, ups and downs; however, in my experience, the key was not in the "reporting" but in the "relationship." It can be challenging to relay cybersecurity risk to a non-technical leader who lacks a clear understanding of technology and of the risks associated with the very technology his or her team relies on to support the business (I can distinctly remember debating the risks of cloud computing years back with a non-technical leader who insisted that it was a fad - when all you have is a hammer, and all that).

Risk Management Is A Shared Responsibility

On the contrary, the CISO reporting to the CIO can create tighter strategic bonds, help align investment, and focus activities that systematically drive down risk. While I didn't ask Steve if I could reference him in my article, I know him so well that I know he won't mind. You see, Stephen B. is my counterpart in Infrastructure & Operations at McDonald's; peers who report directly to the CIO, Brian Rice . Steve and I have traveled around the world during our short tenure at McDonald's and have spent considerable time building our relationship and discussing strategic priorities, tactical challenges, etc. We have discussed challenges that face our business partners and strategies we can collectively drive to address those challenges. Steve and I may not agree on everything (to be honest, we tend to agree on most things), but when we don't, we pick up the phone and work a path forward. I have funded several initiatives to help drive his strategy forward and vice versa. We share the view that risk, whether cyber or operational risk, is our collective responsibility; if one fails, we both fail. In addition, I also partner with three CIOs, Whitney McGinnis , Richard Murphy , and David Lloyd , who are collectively accountable for the information technology in our three main business segments, both of whom report to Brian and are peers of mine on the Global Technology Leadership Team. There has never been a time, and I mean this in the most literal sense, that I have not picked up the phone and asked for help that they have not bent over backward to assist. Yes, we are all peers, but we are peers with a common goal and shared concern for risk; we all fundamentally believe in shared outcomes.

Embed Risk Management In The Very Soul And Culture Of The Organization

At the beginning of this article, I referenced a quote from Cisco that I am diametrically opposed to. In their view, if overall risk management is "[...] embedded into the very soul and culture of the organization [...]" (I like that part of the quote, by the way), then, "[...] then the CISO cannot realistically be buried under the CIO," which, in my opinion, could not be further from the truth. When you have risk management "embedded into the very soul and culture of the organization" (again, I really like that quote), then it doesn't matter where the CISO sits - his or her job becomes one of enablement. Risk discussions are not forced; they occur naturally and are part of the everyday vernacular. In that environment, the CISO can fundamentally sit anywhere.

While I have enjoyed building relationships with my peers in Legal and Human Resources during my time reporting through those respective organizations, I have found that having deep discussions surrounding emerging technologies, the risk associated, and how we can collectively work towards shared outcomes is incredibly enriching and valuable. Discussing and debating strategies with like-minded peers helps us collectively prioritize people, investments, and technology standards that more effectively manage risk. (Although I do miss my debates with Roman Streitberger while I was at Honeywell - and I mean that in the most sincere way. Roman is a great leader and legal professional with whom I respect and enjoyed working with immensely).

Can the CISO report outside of the technology organization? Sure! My point is that it matters less about the title of your leader and more about their approach to risk management. It matters more how you build relationships with your key partners who will help you effectively drive down risk. Put much more clinically, as only the National Institute of Standards and Technology (NIST) can do, the structure and responsibilities of the cybersecurity organization should be tailored to the organization’s mission, size, complexity, existing resources, and risk management approaches. [3]

By the way, the headline picture is of me, Steve, and our collective teams meeting one of McDonald's Owner Operators in Sydney, Australia - an epic trip to remember!

References:

[1] Why CISOs Shouldn’t Report to CIOs in the C-Suite (2021) https://securityintelligence.com/posts/why-cisos-shouldnt-report-to-cio-c-suite-conflict/

[2] Should the CISO Report to the CIO? (2021) https://blogs.cisco.com/security/should-the-ciso-report-to-the-cio

[3] NIST Cybersecurity Framework. Retrieved from https://www.nist.gov/cyberframework