Get the CIO out of the Reporting Line for Security...
Drazen Drazic
CIOs cop quite a bit of criticism from the Information Security industry and the people in it.
Rightly so I believe in most cases. We’re in 2012 now, not 1999, where ignorance of basic security could still be forgiven (somewhat). Hacking was still a dark art to many then.
Don’t get me wrong, there are some really good CIOs out there when it comes to understanding and working on Information Security issues and doing the right thing by their companies, but to be honest, there are many CIOs that also fail dismally. Regardless of whether they’re getting advice and guidance from their security people, ultimately, a level of accountability must sit with them.
If you’re a CIO and you’re not reporting state of risk and security on a regular basis to your CEO and/or Board, you not only are putting your organisation at greater risk but looking at the bigger picture, also business partners, shareholders and everyone else associated with that business? (The CFO is reporting financial position and risks on a regular basis, so why aren’t you?)
As a CIO, are you on top of amendments to the Corporations Act? Do you know what your Board of Directors role is in terms of Risk Management oversight and governance? Do you know a Board’s role? If not, why not?
What is the problem with many CIOs?
In brief, it comes down to some or all of the following: - A general lack of understanding and appreciation of the true risks (and what should be being done) - Security projects not seen as a high priority / high profile projects - Lack of budget to dedicate to security - Fear of looking bad [to senior management]
I could also add that some don’t really care, and while that may be the case for some, I’d like to hope that any in this category would make up less than 1% of the CIO population, (though some of you may have differing opinions on this). In my opinion, the four points above probably cover the majority of reasons why CIOs fail when it comes to Information Security.
It’s interesting when we get the opportunity to present the findings of work we’ve undertaken for an organisation to the CEO and/or Board as opposed to just talking with the IT Security Manager or CIO.
The IT Security Manager (or CSO) generally takes issues reported seriously and attempts, to the best of their abilities— set against organisational roadblocks (sticking points) to get the issues resolved. They’re generally on the same wavelength and understand what these issues potentially mean to the business. (More IT Security Managers and CSOs should be the CIO).
For the CIO, somewhere along the line, the logic in terms of impact and potential risk to the business gets lost and clouded as they assess the report and meld it with the 4 bullet points mentioned above—sticking point! And this is where the majority of Information Security issues remain—filed away in the too-hard basket. Information security people start complaining, lose respect and confidence in the CIO, become disgruntled, and most eventually leave to look for greener pastures.
Interestingly, CEOs and boards are more interested in listening to Information Security issues being faced by their business than most CIOs are. Their eyes don’t glaze over and they genuinely care and want to understand the potential impacts to the business. In almost all cases where we’ve been invited to present to the CEO and/or board, that organisation has rapidly changed their mindset and approach to Information Security and Risk Management practices.
Is there a better argument for removing the CIO out of the reporting line for Information Security? We can ramble on and on about awareness growing, CIOs getting more involved, things are changing and so on, but is that really the case? It’s 2012—I’ll say it again—and since I first wrote this in 2008, little has changed!
CIOs need to realise that boards and board reporting are going to be putting more pressure on them as boards realise that, as part of their Risk Management oversight and governance, IT risks are as threatening to the business as many other things they traditionally assess. Catch up!
Many CIOs like to position themselves as “business” people. But if they want to be seen that way, they need to start thinking and behaving as “business” people too.