Security Experts:

Chief Information Security Officers Should be Reporting to Chief Risk Officers

Enterprise Board of Directors Room

In the "old days" the physical security team sat in a back room watching cameras on a bunch of CRT monitors and information security was part of the network administration group, tasked mostly with managing firewalls to keep the bad guys from breaking in through companies’ T1 lines.  Those were simpler times before technology touched every aspect of our personal and professional lives, before networked PCs, the internet and the Sarbanes Oxley Act. 

As time went on, more companies saw the need to appoint a manager to oversee the many moving parts of information security, leading to the creation of the Chief (Information) Security Officer (CISO/CSO) position. 

Today, there are few enterprises that do not have a CISO.  Even though they achieved a position of leadership, these technically rooted CISOs have largely struggled with managing highly complex enterprise environments that extend to the cloud and smart phones, threatened by an ever increasingly sophisticated adversary, who takes advantage of a daily pile of new vulnerabilities to exploit key assets and impact businesses’ reputations and bottom lines.  Add to the mix regulators mandating compliance with continuously evolving requirements, and you have the makings of a CISO identity crisis.

Historically, CISOs have reported to the Chief Information Officer due to their technology-focused role.  However, as the CISO position has evolved, more companies are moving towards shifting CISO reporting lines to the Chief Risk Officer (CRO).  The shift has not been without some controversy, with the main objection being that no matter how you spin it, technology is still at the heart of the job.  True as that may be, technology, just like people, electricity, and coffee, is at the heart of most jobs in today’s corporate world. 

To have a prayer at minimizing the impact of cyber events on their company, CISOs need to approach cyber security less from a technical standpoint and more from a risk standpoint, which is why reporting to a CRO makes sense.

Fundamentally, applying limited resources to protect assets of value from threats exploiting vulnerabilities is a risk management problem.  The measures taken to best protect those assets will largely (but not entirely) be technical in nature.  Just like we do not build office buildings without windows in case of a tornado, our information infrastructure is inherently exposed to the elements and there needs to be a better measured approach that enables business to be conducted without inherently endangering it.  That approach entails looking at cyber security from a risk management standpoint, meaning applying security resources based on the likelihood that threats and vulnerabilities align to have a significant impact on the business. CISOs quarterback that process and therefore benefit from being part of the risk organization. 

It’s also important to recognize that a company’s greatest asset, its people, are also its greatest vulnerability.  In other words, people create cyber risk.  No matter how tall companies build walls around their assets, as long as they have users who have legitimate access to sensitive corporate information, that information is exposed to compromised accounts, phishing, social engineering, etc.  Solving this human problem requires a respected professional sitting at the same table with the rest of the company’s leaders, to build a culture of risk management emphasizing the importance of protecting the company’s assets as their own.  As part of the risk organization, CISOs project greater authority to influence their peers across the organization of the importance of this non-technical problem to their bottom line.

Cyber risk reduction starts at the top, meaning other C-level executives and the board must view it as a top business priority.  The industry is getting closer to achieving that goal.  Cyber risk is getting significantly more attention.  As a recent board survey reveals, 74 percent of board members say cyber risk information is reported to them weekly.  The next step is for CISOs to make that information meaningful and actionable, speaking the language of the board, the language of risk.  CISOs who purely talk tech are perceived as “techies” with limited understanding of the business.  In order to demonstrate they understand how cyber risk plays into their company’s operations and bottom line, CISOs must communicate risk in the same way other business leaders communicate about other operational risks. Reporting to the CRO will support and accelerate that shift.

Related Reading: CISOs Risk Getting Fired Over Poor Reporting

Related Forum: Request an Invite to SecurityWeek's 2017 CISO Forum

view counter
Steven Grossman is VP of Strategy and Enablement at Bay Dynamics, where he is responsible for ensuring our clients are successful in achieving their security and risk management goals. Prior to Bay Dynamics, he held senior positions at consultancies such as PriceWaterhouseCoopers and EMC, where he architected and managed programs focused on security, risk, business intelligence, big data analytics, enterprise program management offices, corporate legal operations, data privacy, cloud architecture and business continuity planning for global clients in the financial services and health care industries. Steven holds a BA in Economics and Computer Science from Queens College and has achieved his CISSP certification.