Consistently I see the principle questioned about to whom a CISO should report. The CISO role in most companies was modeled after federal regulation. In the original federal government FISMA legislation, the CISO was set to report to the CIO that had been set up in previous legislation (Clinger-Cohen Act). During the wrangling over the legislation the principle was that the CISO would be an audit entity primarily and reporting to the CIO what his groups were doing to secure the enterprise. Unfortunately, stuff happens.
Along the way the “C” word (chief) got added to risk, security, privacy, and a variety of others swelling the c-suite and making the word chief virtually meaningless. Each of these executives can have a variety of mission and teams. We could draw a basically meaningless venn diagram. Often, we find the roles hopelessly undermanned. Here is a loose set of definitions. There are no hard and fast rules on these but here we go.
Chief Information Security Officer (usually compliance various regulatory mandates) responsible for security controls on information systems and assets.
Chief Risk Officer (usually business facing) primarily responsible for assessing current risk and balancing that with risk tolerance (especially mergers and acquisitions)
Chief Privacy Officer (compliance various regulatory mandates) primarily concerned with disclosures and compliance with privacy regulations wherever the business entity operates
Chief Security Officer (granddaddy of the C’s) can be limited to physical security but also full scope operational entity of physical and information security controls.
Along the way I’ve seen some interesting stuff in what companies think about the roles based on the certifications required for the roles. Whether CISM (security management), CISA (security auditing), or CISSP (security professional) it becomes obvious that certifications rapidly lose meaning as I’ve seen an acronym soup in many job advertisements. Job descriptions are a gold mine of the focus, values, and conceptual maturity of organizations thinking about the place of security within the enterprise.
We have some interesting things being discussed in some facets of the security community. I’m especially interested in seeing how roll ups and divesture of “C” titles mature. I’m of the opinion we really know this role whatever it becomes is important when the executives holding the title are 10K filed and named executives. Similar with reporting lines. If you have the “C” suite title but aren’t part of the “C” suite you’re not really a “C”.
Similarly, I’ll be interested in seeing if something like a Chief Security Risk Officer (CSRO) or similar evolves with the risk, intelligence, auditing, privacy, and various forms of physical/information security reporting to that single entity. The corporate or product environments are just small parts of this role. In my previous roles I’ve had any, all, some of those role’s report to me at various stages of this industry maturation. I’m a strong believer in moving security out of compliance (you must be yay high to ride) to controls based and operationally focused. An absence of focus on pragmatism and the conduct of business is a risk of an audit focus rather than operational security role.
One more thing on operations focus of security. The focus and ability to provide a unified, integrated, and holistic response should be a core focus of the emerging security role. If you’re running a business and there is an event, incident, activity that comes into focus as a security issue. Whether it is protesters on the street, hackers in the network, or a data center on fire. You must build the resilience and a capability to respond actively while conducting business and while recovering. There is a tendency in the security world to say “shut it down, shut it all down” but that is not always possible. Whether you are running critical infrastructure or non-essential services.
I think a big hang up in the c-suite is understanding that the mission space in security is morphing to be not only business sustaining but business enabling. The role of security is bleeding into network operations support, sales support, engineering support, product support, mission support, and so much more.
Some would say the mission of security is evaporating but the focal point gets lost if you distribute that role. The discussion over whether you distribute or centralize security mission space is pretty much over. If you take security seriously you are going to centralize those functions to primarily create focus. Focus on sales is what a Chief Sales Officer provides to the Chief Executive Officer. Focus on business operations is what a Chief Operating Officer provides to a Chief Executive Officer. Focus on the security and risk (board reporting requirements usually) is what security professionals provide to the Chief Executive Officer.
I don’t have any specific answers but every time I see another vote on who the CISO should report to I wonder if CISO is even a thing anymore. I think the role has been morphing and should mature into a business oriented, operationally focused, compliance supporting, and enterprise viewpoint and that role is going to be Chief Executive Officer reporting.