Is it time for a change in the roles of our key IT leaders?
Organizations deciding to bring on a CISO wrestle with where the position should report, and there is no magical answer. Although some believe the CISO cannot be effective under the CIO, after many years of experience, I have found that this depends on the maturity of the security program, what security versus IT is responsible for, and what regulatory laws govern the organization. I've worked in organizations where I reported to the chief information officer (CIO) and it was a disaster, but I've also worked in different organizations with the same reporting structure and it was a great success. Regardless of the placement of the CISO, it cannot create a battleground forcing the CIO and the CISO to fight for the same resources and funding pitting them against each other and ultimately creating a disastrous situation.
Throughout my own career, when interviewing for various CISO positions, it has been important to discuss the maturity of the security team or program. When the position is new or the enterprise has never had a “titled” CISO before, I'm compelled to ask why they're hiring a CISO versus growing the position organically from within. The answer isn't always what I hoped to hear. More than once I've been told, “the board says we need a seasoned CISO.” Or worse. One CIO said, “I'm being forced to hire a CISO so I'm just looking for someone who can toss out some policies and be a team player.” This is often a telltale sign that better communication needs to happen between IT and executive leadership, not necessarily that there is a void in security leadership.
Depending on the size of the company, vertical market and compliance requirements, it's quite possible that cross-training the CIO in information security may be an option that organizations consider rather than brute-forcing a CISO role onto the IT leadership team or within the organization. In turn, for more mature organizations – and to help with succession planning – giving the established CISO the ability to cross-train into the CIO role would give them a professional career path and lead to better retention. Organically growing your IT leadership team and blending these positions over time will create a healthier IT team bridging the gap between the CIO and CISO. The trend of CIOs and CISOs blending is already starting, and those organizations are reaping the benefits of having a security professional running the IT team.