When CSO teamed up with PricewaterhouseCoopers to conduct its Eighth Annual Global Information Security Survey earlier this year, one question asked was who CISOs are reporting to these days. What the majority of respondents said was somewhat surprising.
Of the 12,847 respondents, only 6.5 percent described themselves as a chief information officer. Meanwhile, when CISOs were asked who they report to, most said the company CEO or board of directors. Less than a quarter of respondents said they report to the CIO.
A follow-up column questioned whether that's a good thing. The response to that was more jolting than the surprise over reporting structure.
The majority of the feedback mirrored this observation from Robert Alberti, a Minneapolis-based security and IT professional:
"CIOs and CISOs will always have an adversarial relationship, and that's as it should be," he wrote in the comments section of the column. "In my opinion, CISOs should never report to the CIO."
He explained that the CIO's role is operational, that their job is to keep things running. The CISO's role, on the other hand, is to reduce IT risk. If the CISO reports to the CIO, he reasoned, then risk reduction would always take a back seat to operations.
"While it would be better if CIOs had a firmer grasp of security, it would also be good if auto mechanics had a better grasp of economics, but they don't and it's not likely they will soon," he said. "CIOs have a lot to do, that's why the CISO is a separate role. As both professions continue to specialise, the gap between CIO and CISO will not go away."
The real trick is for corporate leadership to balance the messages from both the CISO and the CIO in order to appropriately judge what risks to accept and what risks to re-mediate when doing business, he concluded.
As part of our ongoing series on "The new CSO-CISO" we asked several security practitioners about this. Not surprisingly, some pushed back on the notion that CIOs and CISOs should exist in separate silos, including Eric Cowperthwaite, CSO of Seattle-based Providence Health & Services. In the four and a half years he has been with the organisation, he has had three bosses: The chief financial officer, the CIO and now the chief risk officer. His experience with the CIO was anything but adversarial, and the two accomplished a lot together, he said.
"In the beginning, when I reported to the CFO, the top brass wanted me close by because they were dealing with a crisis situation," he said, referring to the uncomfortable distinction Providence Health & Services had in being the first organisation penalised for violating the privacy section of the federal Health Insurance Portability and Accountability Act (HIPAA). The organisation, which operates a health plan and several hospitals, agreed in 2008 to fork over $100,000 and make good on a systems improvement plan as part of a deal with the U.S. Department of Health & Human Services (HHS) to settle allegations it lost laptops and electronic backup programs with individually identifiable health information in 2005 and 2006. Cowperthwaite was hired to help the organisation turn its security program around.
But, he said, there's a downside to reporting to people that high up the chain of command: Their time for you is more limited.
"A CFO or CEO is going to have about 15 minutes a month for you, and you need more time than that," he said. "You need a mid-level person like a CIO in your court to champion your cause to upper management."
With that in mind, he said reporting to the CIO was a positive, productive arrangement.
Josh Corman, a senior security analyst with the Boston-based 451 group, has a more middle-of-the-road position on how the relationship should work.
"You need checks and balances, but you can't really compare and contrast the role of a CSO and CISO without mentioning where the CIO fits in," he said.
Regardless of the reporting structure, others -- even those who see the logic in an adversarial relationship between CSOs and CIOs -- said there is simply no excuse for a CIO to be completely divorced from security. Eric Baer, CISO for a government organisation based in the Midwest, wrote this in the comments section of that earlier column:
"While I agree with the idea of not having the CISO report to the CIO, that still doesn't excuse the CIO from 'doing security.' Simply keeping things running for the sake of keeping things running is a 1990s paradigm that needs to go away. In reality, secure operations (especially in heavily regulated industries) should be baked in."
He continued, "Why shouldn't the CIO have a security group? The CSO-CISO could be a compliance shop. Better yet, have IT governance report to the risk officer, COO, CFO whomever, and then security operations can be part of the technology group."
He concluded: "We can gnash teeth and stomp feet all we want to about security being ignored or discounted, but if it isn't included at the operational level then where should it be?"