Liquidmatrix Security Digest » Should The CISO Report To Someone Outside IT?

Should The CISO Report To Someone Outside IT?

Author: Dave Lewis
September 18, 2007 at 4:10 pm · Filed under Security Mgmt

Short answer: SWEET MERCIFUL CRAP YES!

From Information Week:

McAfee CEO David DeWalt sees more companies are having the chief information security officer report to someone other than the CIO. The reasoning is security involves much more than data security—and that IT needs a watchdog over its attempts to secure information.

DeWalt spoke at the InformationWeek 500 Conference in Tucson Tuesday, spotlighting the five broad trends he sees in security. In a conversation after his keynote, DeWalt spotlighted one other change, with the CISO increasingly reporting to the CFO or another executive.

I have always held the position that it was a CISO who reports to the head of IT is a perdue that knows his fate is sealed. How can a CISO affect change in any demonstrable way when his/her hands are tied behind their back? It is in the best interest of a CIO to keep a short leash on a CISO for fear the inadequacies of their day to day operations are drawn out into the light (if that happens to be the situation).

But, who does this help? Certainly not the customers, shareholders or the organization for that matter. Nope, the only one who benefits from having the CISO report to the CIO is the CIO. Keep your friends close and your enemies closer?

UPDATE: OK, on further reflection (thanks shrdlu) I should wrap some more text around this idea. IT and Infosec need to work together not at opposites. That being said IT needs to be held accountable. On the other side of the coin Infosec needs to be technically capable. I’m fortunate in that I have come from a technical background but, many Infosec folks do not have that skill set. So, yes, that would be a real stumbling block. To be truly effective (as a CISO) you have to win the hearts and minds of the very people that you are working with. The “prince of darkness” is not a moniker that would denote a spirit of detente. If you do not have the support, your Infosec program will fall on its face.

Article Link

Tags: CISO Reporting, CISO, CIO, CISO Accountability

Tag It:

Related Articles:

Don’t quit your day job…

FBI Critical Networks Get Thumbs Down

DHS Cyber Storm Report

Iraq Study Group Report

Security Briefing: May 23rd

Permalink

shrdlu said,

September 18, 2007 @ 5:56 pm

Hey Dave, here I’ve got to disagree with you pretty strongly. My reasoning is here: http://layer8.itsecuritygeek.com/index/layer8/reporting-lines/

And I’m not saying that because I’m a CIO, neither

Dave Lewis said,

September 18, 2007 @ 7:48 pm

No problem at all. I welcome the comments. I had a read through your post and I have to respectfully disagree. I’m an IT guy that crossed over into Infosec (albeit with a gun to my head). I agree that arbitrary policies delivered “from the mount” aren’t of much value. I have been looking at this from my own bias as I’m of two minds. Part IT, part security wonk.

I don’t see the CISO role as an “us versus them” by any means. That is about as counter productive as I can imagine. But, without out separation at least in a reporting line you are limited in your ability to successfully implement positive change.

I enjoyed your post and thanks for the comment.

cheers

shrdlu said,

September 19, 2007 @ 6:14 am

Thanks, Dave I’m a former IT person myself, but to be honest, I still think of myself as one, even though I’m a CISO now. I don’t find myself hampered at all in my current reporting structure (yes, to the CIO), because we both have the same senior executive approving our budget (the CFO) and I have direct access to the CFO whenever I think I need it. We’re all on the same page that it’s the business that makes the ultimate decisions on security risk, and we’re all clear that I report on news both good and bad. It was the same situation in my last job too. Maybe a sample of two is too small, but I really don’t see an *inherent* problem in staying within IT.

Dave Lewis said,

September 19, 2007 @ 7:24 am

You my friend, have a good set up. Sadly, not all are quite so fortunate. So, when viewing the situation from your perspective I can fully appreciate your position.

lucky…grumble…grumble

myrcurial said,

September 19, 2007 @ 10:26 am

It’s almost like he knows me and knows how to get me to pull my head out of the maw of doom long enough to type a little.

You’re both right.

There.

Where I’m at now is that I’ve done all I can for the IT group and I need to have influence with the lines of business. The LOBs however, aren’t fans of the IT group (long history of negative working relationships) and it would be very helpful to me to be in a different reporting relationship in order to make that happen.

At the same time, were I not part of IT, I could not have implemented the level of change that I have over the past year.

It becomes very dependent on whether your CIO is *truly* a CIO or whether (s)he’s a CITO with the wrong title. And are you a CISO or a CITSO? Are you managing Information or are you managing Information as it pertains solely to Technology? Do you take care of the analog world or just the digital world.

And does your organization enforce a difference between those two worlds (as both Dave’s and mine do)?

I’ve got more thoughts on this, but not time now… I will though.

shrdlu said,

September 20, 2007 @ 6:08 am

myrcurial, excellent point. No, our “I” that isn’t “T” always tends to fall through the cracks — as though it were either too obvious to mention or it doesn’t matter, because everyone knows (or should know) how to secure paper. What few issues come up get shuttled over to the Legal department.

Hey, and you don’t have to have an already dysfunctional IT relationship to be feared and loathed as an ISO in your own right. Any time I ask to talk to someone, I have to add immediately, “Don’t worry, you’re not in trouble.” Whenever someone from security, audit, HR or legal shows up at your door, you know it’s probably not going to be a good day.

Rationalists, Risk, And (Yawn) Asymmetry | RiskAnalys.is said,

October 2, 2007 @ 8:02 am

[...] First, there is “Security Staff as Ultimate Insurance“. Had the honor of sitting down and having some Walleye with a gentleman that runs the IRM program for one of the nation’s larger banks yesterday. Very interesting conversation on many levels, but one of the topics we breached was “Where does the CISO’s office fit”. I’ve had a strong post on the subj. in draft form now for about a month or so. I still aim to post my analysis on the subj., but in the meantime do read Richard’s blog and this one from Liquidmatrix as well Should The “CISO Report To Someone Outside IT?” [...]

RSS feed for comments on this post · TrackBack URI