Comments on: Should The CISO Report To Someone Outside IT?

By: Rationalists, Risk, And (Yawn) Asymmetry | RiskAnalys.is

Rationalists, Risk, And (Yawn) Asymmetry | RiskAnalys.is — Tue, 02 Oct 2007 13:02:03 +0000

[...] First, there is “Security Staff as Ultimate Insurance“. Had the honor of sitting down and having some Walleye with a gentleman that runs the IRM program for one of the nation’s larger banks yesterday. Very interesting conversation on many levels, but one of the topics we breached was “Where does the CISO’s office fit”. I’ve had a strong post on the subj. in draft form now for about a month or so. I still aim to post my analysis on the subj., but in the meantime do read Richard’s blog and this one from Liquidmatrix as well Should The “CISO Report To Someone Outside IT?” [...]

By: shrdlu

shrdlu — Thu, 20 Sep 2007 11:08:29 +0000

myrcurial, excellent point. No, our “I” that isn’t “T” always tends to fall through the cracks — as though it were either too obvious to mention or it doesn’t matter, because everyone knows (or should know) how to secure paper. What few issues come up get shuttled over to the Legal department.

Hey, and you don’t have to have an already dysfunctional IT relationship to be feared and loathed as an ISO in your own right. Any time I ask to talk to someone, I have to add immediately, “Don’t worry, you’re not in trouble.” Whenever someone from security, audit, HR or legal shows up at your door, you know it’s probably not going to be a good day.

By: myrcurial

myrcurial — Wed, 19 Sep 2007 15:26:14 +0000

It’s almost like he knows me and knows how to get me to pull my head out of the maw of doom long enough to type a little.

You’re both right.

There.

Where I’m at now is that I’ve done all I can for the IT group and I need to have influence with the lines of business. The LOBs however, aren’t fans of the IT group (long history of negative working relationships) and it would be very helpful to me to be in a different reporting relationship in order to make that happen.

At the same time, were I not part of IT, I could not have implemented the level of change that I have over the past year.

It becomes very dependent on whether your CIO is *truly* a CIO or whether (s)he’s a CITO with the wrong title. And are you a CISO or a CITSO? Are you managing Information or are you managing Information as it pertains solely to Technology? Do you take care of the analog world or just the digital world.

And does your organization enforce a difference between those two worlds (as both Dave’s and mine do)?

I’ve got more thoughts on this, but not time now… I will though.

By: Dave Lewis

Dave Lewis — Wed, 19 Sep 2007 12:24:49 +0000

You my friend, have a good set up. Sadly, not all are quite so fortunate. So, when viewing the situation from your perspective I can fully appreciate your position.

lucky…grumble…grumble

By: shrdlu

shrdlu — Wed, 19 Sep 2007 11:14:26 +0000

Thanks, Dave I’m a former IT person myself, but to be honest, I still think of myself as one, even though I’m a CISO now. I don’t find myself hampered at all in my current reporting structure (yes, to the CIO), because we both have the same senior executive approving our budget (the CFO) and I have direct access to the CFO whenever I think I need it. We’re all on the same page that it’s the business that makes the ultimate decisions on security risk, and we’re all clear that I report on news both good and bad. It was the same situation in my last job too. Maybe a sample of two is too small, but I really don’t see an *inherent* problem in staying within IT.

By: Dave Lewis

Dave Lewis — Wed, 19 Sep 2007 00:48:04 +0000

No problem at all. I welcome the comments. I had a read through your post and I have to respectfully disagree. I’m an IT guy that crossed over into Infosec (albeit with a gun to my head). I agree that arbitrary policies delivered “from the mount” aren’t of much value. I have been looking at this from my own bias as I’m of two minds. Part IT, part security wonk.

I don’t see the CISO role as an “us versus them” by any means. That is about as counter productive as I can imagine. But, without out separation at least in a reporting line you are limited in your ability to successfully implement positive change.

I enjoyed your post and thanks for the comment.

cheers

By: shrdlu

shrdlu — Tue, 18 Sep 2007 22:56:28 +0000

Hey Dave, here I’ve got to disagree with you pretty strongly. My reasoning is here: http://layer8.itsecuritygeek.com/index/layer8/reporting-lines/

And I’m not saying that because I’m a CIO, neither