I wouldn’t want to offend the critics, but I recently engaged in a conversation with a fellow of the “old guard” mentality. We are bouncing ideas back and forth about the roles of the CISO and the CIO, where his legacy thinking encourages him to think that in ALL cases, the CISO should report to the CIO. I relented to just admitting that in certain circumstances, the CISO could report to the CISO and it could very well work fine. I however suggested that, let’s say that the organization having the two roles is a multi-national bank; in this case, maybe the CIO should be reporting to the CISO… but he’s the old guard who would never buy that logic!
Hm... I don't know about that one. I could see the CISO and CIO being peers, but that's probably as far as CISO would go up the chain because of the scope of responsibility.
I would think that you'd likely have a structure where even the CIO falls under another head, such as the COO or the CFO, and the CISO and CTO both under the CIO for a larger organization like a multinational bank.
I think the only way that the CISO succeeds if under a CIO is if they have a direct line to the CIO's boss or higher. Every organization I have seen where the CISO reports to a CIO the CIO has undoubtedly shot down an initiative the CISO was presenting. In some cases it was because it exposed the CIO's failings and the CIO did not want it brought to light. In other cases it was funding, staffing or another legitimate issue. So the biggest hang up is does the CISO have a way to bring something to the CIO's boss if it exposes incompetence/wrongdoing/etc. of the CIO.
The second fallacy I see when the CISO is under the CIO is the comingling of funding. Making the cyber security budget part of the overall IT budget, without a separate line item for it, is problematic. The CIO always has unfunded projects/priorities and since they hold the purse strings they can deny security related items. Then when a breach happens, the CISO is hung out to dry for not putting the correct security items in place. Also being able to tell how much a company is spending on cyber security can be difficult when it is comingled.
I think that as cyber security evolves we will see more separation of security from IT. I am starting to see a shift in this area. Before, in IT, anything doing with computers was IT. You bought anti-virus, it was IT. You had staff managing the AV, they were IT staff. You had an internet monitoring program, it was IT, etc. Now companies are starting to see the need to separate these functions. As we move more to cloud environments/consolidated data centers, we see IT staff being shuffled around and new positions being created.
I think we are still young in this field and you will see more separation of the CISO's from being under the CIO and them starting to be seen as peers instead of C-suite lite.