Positioning the CISO to Succeed

Cyber security teams feel more confident in delivering their mandates when they report to the CISO or CEO, rather than the CIO, the 2019 ISACA® State of Cybersecurity Survey revealed. The results of this study, which polled the perspectives of 1,576 security practitioners globally, are relevant as tightening regulatory pressures and rising consumer privacy expectations are pushing the CISO role to the top of corporate agendas.

Despite the rising significance of their roles, many CISOs are still inhibited from fulfilling their potential due to outdated reporting lines, with the majority still reporting to IT executives. As I have stated before, to effectively deliver their mandates, the CISO must have unrestricted access to the c-suite and the board. This arrangement offers four distinct advantages.

Firstly, it enables corporate directors to ask difficult and precise questions, giving them unfiltered visibility into exposures that threaten the viability of the enterprise and the adequacy of management response measures. On the contrary, channelling cyber risk messages through management layers can impede transparency or dilute important messages.

Secondly, unfettered board access informs the CISO of the most important business priorities, aligning the security roadmap with business strategy. Developing a strong grasp of the business value chain also fosters the transformation of the CISO from a technology-centred executive into a business-savvy strategic thinker, astute resource allocator and business influencer - all of which are required to thrive in this high-pressure role.

Thirdly, empowering the CISO promotes business agility as cybersecurity teams can make risk decisions faster, balancing the need to protect critical assets and speed to market. It also fosters a strong cyber-aware culture as the CISO can confidently veto business decisions that expose the business to unacceptable cyber risk. On the other hand, when the CISO has questionable organisational stature or is stereotyped as a glorified security administrator, the enterprise can systemically disregard known security risks. This can be very dangerous, since vulnerabilities tend to aggregate over time, leading to damaging impacts.  

This sentiment was echoed by Steve Kartz, a respected cyber security veteran widely regarded as the world’s first CISO, who said, "To be a successful information risk executive, you have to believe that you are and that you have a seat at the executive table. Make sure that the other executives in the corporation realize you belong there.”

History is a clear guide. When Equifax lost more than 145 million customer records to internet thieves in 2017, the credit monitoring giant’s chief security officer (CSO) reported into the chief legal officer (CLO), who lacked a background in IT and security.

Equifax’s shortcomings do not stand alone. Analysis into Target’s infamous 2013 data breach - in which more than 40 million payment card details were stolen - revealed that the retailing giant didn't have a CISO or even a C-level executive advocating for security investments. Justifiably, seven out of ten Target directors were ousted for failing to provide adequate cyber risk oversight. The Equifax and Target chaos are only two of many cautionary tales.

Fourthly, and perhaps the most significant, having the CISO report into the CIO undermines their impartiality. The CIO can routinely redirect security budget towards frivolous and non-discretionary IT initiatives. As a result, rises in cyber security budgets do not translate to more resilience. Furthermore, when IT and security are bundled together, stability and speed will always take precedence over security, leading to delayed or terminated projects, unpatched critical systems and several other issues. This also raises the possibility that material risks may be filtered out of governance reports, as the CISO may be concerned about undermining their boss, which invariably threatens their own career progression, salary raise or bonus. This often leaves the board with an inflated sense of resilience, until the enterprise runs into trouble.

While the need to empower the CISO may sound intuitive, dismantling these suboptimal chains of command is slow, frustrating and fraught with challenges. The 2019 ISACA® State of Cybersecurity Survey revealed only 13 per cent of security practitioners have their cyber security teams reporting to the CEO. In Australia, the numbers are even more discouraging, with 41 cyber security leaders polled by CISO Lens in December 2018, a paltry 3 per cent of these leaders reported to a CEO, with a staggering 58 per cent reporting into IT functions (CIO, CTO or Head of IT).

So, why has the traditional model been so resistant to efforts to supplant it, despite the unquestionable correlation between effective cyber security structures and business resilience? In part, because CEOs seek to reduce the number of direct reporting lines. CEOs believe this allows them to focus more on strategy and operational leadership, but without full visibility of the operational risks and threats, a business is unable to survive and thrive. CEOs want less distraction from their focus on strategy and operational leadership.”

The CISO role is already stressful with multiple challenges.  According to a study conducted by Nominet earlier this year, “a whopping 91 per cent of CISOs experience moderate to high stress in their roles, with 26 per cent admitting that work-related stress was impacting them mentally and physically.” Among other factors, continued lack of support from the board and upper management was a major catalyst to rising CISO anxieties.

As mentioned, the conventional CISO reporting lines present many pitfalls and undermine the board’s ability to provide adequate cyber risk oversight. Sustained cyber resilience clearly demands the CISO to be given the independence and organisational clout required to succeed.