With high-profile cyber threats reaching historic levels during the pandemic, the role of the CISO is coming to light. The State of Cyber Security 2021 (Part 2) of ISACA in partnership with HCL Technologies, shows that the CISO’s reporting structure needs an overhaul in the complex post-Covid 19 security landscape.
The survey notes that while half of the security teams report directly to the CISO (48%), a quarter report to the CIO, followed by 12% who report to the CEO. Among organizations whose security teams report to their CIO, the CISO may also report to the CIO, the report notes.
One earlier ISACA study found that when cybersecurity teams report directly to a designated and experienced cybersecurity officer (CISO), they report having much more confidence in their team’s ability to detect and respond to attacks effectively. This indicates that despite their high role, the CISO reporting dilemma persists. And for this, it is important to trace the origin of the modern CISO reporting structure.
The CISO reporting dilemma
Previously, the role of the CISO was limited to that of IT security manager, which was more technical. As security threats grew exponentially and their impact on businesses became significant, this back office role gained momentum, although the role of CISO in most businesses was considered as a complementary role of C-suite. But with boards increasingly recognizing security threats as the number one business risk, that role is quickly finding its way into the C-suite. Despite this, in most organizations their role tends to be less business-oriented and more technical.
A Ponemon Institute Report notes that due to an ambiguous hierarchical structure in most companies, the role of the CISO is limited to looking at issues, including business challenges, from a technical prism.
Interestingly, even today, in most organizations, the CISO reports to the organization’s technology manager and, in the worst case, someone with little knowledge of security or technology.
The Ponemon Report, for example, found that 50% of CISOs report to CIO and 46% report to CTO, CFO and COO, respectively. Only 4% said they reported to the CEO or board. He observes that the CISO’s reporting structure in the C suite directly affects its effectiveness and confidence in mitigating threat incidents.
The CIO and CISO partnership is vital
In this regard, the role of the CIO is considered essential in the overall cybersecurity strategy of the organization and the roles must be more collaborative to achieve business results. In a recent McKinsey article, Oliver Bevan, associate partner in McKinsey’s Chicago office, and his co-authors observed, “The CIO team has an equal interest in tackling cyber risk throughout the process. Their equality is absolutely essential, as the CIO and the team are primarily responsible for the implementation and will need to balance the security requirements for their capacity with their other “run” and “change” IT requirements.
With the evolution of times, the roles of CIO and CISO should play a more collaborative role. “Now they have realized that security cannot exist in a vacuum. The two leaders are therefore focused on understanding each other’s points of view and on the same goal of accessibility, security and organizational resilience ”, Sheril Jose, DGM-IT and Head-Cyber Security at Emcure Pharmaceuticals , based in Pune, noted.
In fact, research shows that CISOs are most effective when viewed as equal partners within the management structure. Leigh McMullen, vice president of research at Gartner, noted in his blog that security leaders must strategically balance between enterprise and IT and therefore his collaboration with CIO must be strong.
The role of the CISO in the spotlight
Therefore, it is crucial to define who is involved in security-related decision making in an organization and to ensure that these people are empowered to make business-based risk management decisions. In this regard, strong leadership is essential for an effective information security program, say ISACA researchers.
Experts believe that in the era of the remote / hybrid workplace, if CISOs are to play a larger role, they must not only have the necessary technical expertise and leadership skills, but also understand their operations. business and articulate security priorities from a business perspective.
“CISOs need to be able to clearly explain how cybersecurity strategy relates to IT and business strategy, and CIOs need to be able to do the same with how they link IT to cybersecurity and business goals ”, Vishak Raman, Director, Security Business, Cisco India & SAARC said in an interview with CXOToday.
Raman said: “It is essential to nurture a culture that recognizes cybersecurity as a top priority. To achieve this, there must be synergy between business leaders and security officials. They will help accelerate their organization’s recovery and shape its new phase of growth, with security at the center and foundation of all business imperatives.
CISOs are more likely to be effective when they are respected and well known within their organization or able to quickly network and develop positive relationships, regardless of their stature. Therefore, an understanding of the business and an ability to communicate on security, risk and compliance issues can put the role of the CISO in a new light.