@JKWiniger , yes my thoughts exactly. I usually have no problem with a CISO reporting to another C-level executive AS LONG AS it is NOT the CIO. Having the CISO position under the CIO means that the CIO can filter out what doesn't benefit them when reporting up the chain. Then they can also deflect blame claiming the CISO never briefed them (or inadequately briefed them) if a breach or other security incident occurs. It also causes the CIO to prioritize security differently as they are just another one of their people asking for money allocation.
The CISO needs to be seen as a C-Level executive for not only the peer level consideration but how the organization responds to them. Having them as a subordinate of the CIO diminishes their credibility of their voice.
The problem with the IT industry as I see it is this: IT used to do everything under their umbrella. As security evolved it grew under the IT umbrella. It has risen to a point where it needs to be separated (for many years now). Many organizations did not know when or how to start the separation. Plus separating security out from under IT brought another headache to management. Now they have another voice to listen to and from a budget perspective, another mouth to feed. They also have to fund another C-level position. Some executives just don't want to be bothered and want an additional buffer between them and responsibility of an incident. Having the CIO in that buffer position now gives them two fingers to point at if something goes wrong. However this leads them to being blindsided. I have seen incidents where a breach happened and then the CIO split, leaving the organization holding the bag. Some CIO's see themselves losing personnel if security has to be it's own entity. They also do not like losing control and having security people being separate, means they have do be told to do some things by people they don't control. BUT if the CISO position was under them, then they don't suffer this loss of control.
I think that was another reason I didn't get the position I mentioned. I mentioned not placing the CISO under the CIO to the new director and his chief of staff (who did a boneheaded thing and shared my email with the CIO without redacting my name). I laid out clear reasons why the CISO should not be under the CIO. I think when the CIO saw it he was pissed off and decided not to hire me, which again reflects his inability to understand leadership principles. He also lost another ally when going for resources to the budget group. It helps to have two C-level executives advocating for resources rather than just one. Also during the application/interview process he got to see my resume and saw that I had more CIO experience than he did (yes I have both CIO and CISO experience!). He knew I would be able to spot his Baloney (lies) and felt threatened by my experience. Not only is he a tyrant but he is also insecure.
So yes, The CISO should not be under the CIO.
@CISOScott would it be unreasonable to make a condition of taking a position to require it to be taken out from under a CIO?
As for the rest, well IT has always been interesting over the years. Many companies have seen IT just as a budget black hole, until IT departments started charging departments back for the IT services they consumed and then just like that, overnight it become a profit center. I think this shift is happening for a lot of companies whether the like it or not with the increased use of cloud technologies, since you can have different subscription for almost everything making it easier than every to direct the expenditure to the department requiring it.
Splitting security and IT has always seemed tough to me. Take something as simple as patching systems. I guess it would be broken up to where someone on the security team might monitor compliance of patch installation, but if patches are missing they would need to inform the IT side that they need to be installed, and then probably report back. In the old days having the same team monitor and install was a bit easier, but more eyes probably ensures a higher likelihood that things are actually being done right.
I think I am starting to see a failing of mine. With smaller companies I controlled things and decided how and what was done, simply by the fact that I knew what needed to be done and they didn't. Now shifting to larger companies I got the impression that they have established roles and departments and know what they are doing, but in fact they might simply need the same guidance but just on a larger scale and with a bit more assertiveness because there are more players that can keep things from getting done.
I have always done well in larger companies, even when I have pissed people off, because I always kept one thing in mind and let it guide me, what is best for the company...
I strongly believe unless you have a capable CIO the CIO will become a bottleneck; I have seen it happen in the last 10 years. For CISO to be effective they need to have the organization's backing (business) otherwise they are seen as the bottleneck to business growth - until something happens. Security should never be a compromising position but an enabler. Imagine Credit Card companies or Banks have lower level of security because the users and/or employees can be more efficient? Would that work when millions are lost?
Not directly related but pertinent point: Look at Boeing now, they went after cheap programming resources and got just that only to have a big mess on their hands with 737 grounded. They compromised and the outcome was negative. What risk can you afford to take is the main question? That applies to your own carrier as CISO as well.
@JKWiniger I don't know about demanding it (or requesting it) for a contingent job offer. I would bring it up in the interview and ask if they had thought about moving it out from under the CIO. The problem is that they usually have the CIO in the interview panel.
One way to bring it up is to state that many organizations have started to bring the CISO out from under the CIO in order to ensure that security is seen as being a separate entity and not a subordinate of IT. It also makes sense to have the person who effectively audits and watches IT to not be under IT's influence or control. It forces collaboration between security and IT as they now have to work together instead of being forced to do whatever IT directs. Another great move is to ensure the CISO has a direct communication line to the head of the agency. If a breach happens it is effectively the top management official who will either directly or indirectly be held responsible. Giving the CISO a direct line of communication to them allows them to be better informed of problems. Having the CIO as a buffer can hinder true communication to upper management.