In survey, CISOs Expect to Report Directly to the CEO in the Future
Today more than half of CISOs report to the CIO, and just 15% report to the CEO, with the rest reporting to the COO, or risk-related organizations, according to a K logix survey of 30 CISOs. But when asked about the future of the security organization, 50% of CISOs responded that the role will report into the CEO.
CISOs point out a number of important factors when suggesting the role should move out of the IT department. Some CISOs felt that reporting into the CIO introduced a conflict of interest as security teams assess the risks of specific technology systems and often recommend that technology be used to address the risk. Phil Curran, who reports into the Compliance Department as Chief Information Assurance and Privacy Officer at Cooper University Hospital, is one security leader who believes as much. His group reported into the CIO at first, but found that structure limited their ability to effectively communicate risk to other business units. He states, “The move out of IT was among the biggest factors in the success of our information assurance and privacy program.”
Other CSOs believe that the CEO needs to hear directly, and frequently, about risk. Christopher Dunning, CSO at Affinion Group, a marketing services organization says that it makes business sense to run Information Protection or Security outside of the IT department. “Security is not just a technical problem, it is also a business challenge. It cannot be solved with just a technical solution. You have to also take a business-centric approach.”
The CISOs in the study reported an average of ten months in their position, and 71% were in the role for the first time. While most CISOs still report into the CIO, it is notable that those in their second, third or fourth CISO role are the ones most likely to report into the CEO today. One reason could be because when CISOs look for their next opportunity they seek CEO-level sponsorship of the security organization. Steve Bartolotta, CISO at Community Health Network of CT., and formerly CISO at Yale New Haven Health System is a good example. He states, “Community Health Network elevated the role of CISO to report directly to the CEO just prior to my coming on board.”
With just 15% of CISOs currently reporting into the CEO, security leaders have some work to do in order to make this prediction a reality. The question remains, what can CISOs do to facilitate the move out of the IT organization to become a more autonomous and business-focused organization with direct access to the CEO and more influence with the Board of Directors? Here are four ways to position security for this change.
EXPLORE - First and foremost security leaders must be explorers. It is imperative to identify all the risks as well as opportunities that exist in the business environment. This requires a plan for exploration and identification. Most CISOs identify risk, but are not looking for opportunities. By identifying opportunities as well as risks, CISOs become business-focused allies to their peers.
EXPLAIN - Both risks and opportunities must be relayed to the business units in an effective, digestible and actionable manner. If risks and opportunities are explained correctly security has the ability to empower business users to make smarter decisions and work more effectively.
INNOVATE - Security leaders seeking to elevate themselves within the organization should also elevate their work beyond operational projects to a more innovative and transformational role. The right technologies can help them work smarter and be more analytical. By leveraging innovative, intelligent technologies security teams can spend less time running systems and more time analyzing performance to identify issues and opportunities.
ADVOCATE - Beyond deputizing employees and customers to be smarter about security, CISOs that report into the CEO will advocate for their teams and projects by explaining how security can impact business objectives.
The relationship between the CISO and CEO is already getting stronger, as CISOs report more one-on-one interaction with the CEO, and more requests for education and insight from the Board. However to become a trusted resource and direct report, CISOs must be perceived as critical to business performance and revenue, requiring some changes in function and focus.
This article was originally published on DarkReading.com Written by Kevin West, CEO K logix