Getting too hung up on the “blinking lights” aspect of information security is a mistake, and one that subordinates a a CISO to a CIO. I’d like to see a CISO peer level with a CIO, reporting under a Chief Risk Officer or CEO directly.

But they’re both the nerd kids of the c suite, running departments that are seen as cost centers to most orgs. And CISO seems to often not even be a “real” C-level, but just someone the execs can hang out as the goat when there is a breach, before spending millions lf dollars ok <insert vendor du jur> and promising they won’t let it happen again.

Lamont,

 

Hm... I don't know about that one.  I could see the CISO and CIO being peers, but that's probably as far as CISO would go up the chain because of the scope of responsibility.

 

I would think that you'd likely have a structure where even the CIO falls under another head, such as the COO or the CFO, and the CISO and CTO both under the CIO for a larger organization like a multinational bank.

 

CEO

|-CFO

.  |-CIO

.    |-CISO

.    |-CTO

 

 

I think the only way that the CISO succeeds if under a CIO is if they have a direct line to the CIO's boss or higher. Every organization I have seen where the CISO reports to a CIO the CIO has undoubtedly shot down an initiative the CISO was presenting. In some cases it was because it exposed the CIO's failings and the CIO did not want it brought to light. In other cases it was funding, staffing or another legitimate issue. So the biggest hang up is does the CISO have a way to bring something to the CIO's boss if it exposes incompetence/wrongdoing/etc. of the CIO.

 

The second fallacy I see when the CISO is under the CIO is the comingling of funding. Making the cyber security budget part of the overall IT budget, without a separate line item for it, is problematic. The CIO always has unfunded projects/priorities and since they hold the purse strings they can deny security related items. Then when a breach happens, the CISO is hung out to dry for not putting the correct security items in place. Also being able to tell how much a company is spending on cyber security can be difficult when it is comingled.

 

I think that as cyber security evolves we will see more separation of security from IT. I am starting to see a shift in this area. Before, in IT, anything doing with computers was IT. You bought anti-virus, it was IT. You had staff managing the AV, they were IT staff. You had an internet monitoring program, it was IT, etc. Now companies are starting to see the need to separate these functions. As we move more to cloud environments/consolidated data centers, we see IT staff being shuffled around and new positions being created.

 

I think we are still young in this field and you will see more separation of the CISO's from being under the CIO and them starting to be seen as peers instead of C-suite lite.