To Get Really Secure, First Empower Your Leadership: Why the CISO Should Be A Peer, Not an Underling
Each time there’s a major security breach, organizations at all levels reevaluate their cyber security procedures and teams. In fact, 47 percent of C-suite executives hold CISOs accountable for a breach. Some companies choose to use the CISO as a scapegoat but don’t address what it will really take to shore up their enterprise security – all too often this includes empowering the CISO within the C-suite.
There’s significant value in having the CISO considered equal to the CIO and other C-suite executives, particularly if you have a large, matrixed organization, but PwC found 57 percent of CISOs report to the CIO or head of IT, instead of the CEO or Chief Risk Officer.
In these structures, the CISO doesn’t have the executive empowerment to handle cyber security on an organization-wide level. The CISO doesn’t have the ability to lobby for resources, critical security changes or organizational security bolstering. The National Association for Corporate Directors (NACD) issued a specific statement as to why limiting the CISO can be problematic for a company: “Cybersecurity is an enterprise-wide risk management issue, not just an IT issue.”
The Benefits of Elevating the CISO to the C-Suite for the Business
When the CISO is elevated to the C-suite, benefits in communications, resources, and security strategy have more of an emphasis among shareholders and the company executives. This additional emphasis allows you to protect against and manage the many cyber threats the typical company encounters in today’s enterprise environment. When you’re a CISO within the C-suite, you have the ability to bring together a team across multiple areas of the organization, such as HR, Law and Compliance, in order to address security issues. A multi-disciplinary team brings into account multiple needs and perspectives, giving the CISO better visibility into the critical security problems in each area and the best way to solve the problems.
Companies with CISO’s in the C-suite
While only 25 percent of C-level executives agree the CISOs deserve a spot at the table with them, companies are starting to come around to the idea. In the 2014 Global State of Information Security Survey published by PwC, companies considered security leaders had CISO’s that reported to top leadership such as the CEO, CFO, COO, CRO or legal counsel. Those companies that were considered leaders “detected more security incidents, have a better understanding of what types of security incidents occur, the source of those incidents, and report lower financial losses as a result of security incidents.”
Phil Curran, who reports into the Compliance Department as Chief Information Assurance and Privacy Officer at Cooper University Hospital, is an example of a CISO who reports in to a risk or security team rather than to IT.
Some companies use a mixed approach, such as Allstate, with a CISO who reports to the CIO but also participates in Board of Directors meetings. Sony didn’t have a CISO before its massive data breach, but afterward announced that Philip Reitinger would move into the position as Sony’s new senior vice president and CISO. However, even this arrangement separated the CISO from the executive suite, as he reports to the executive vice president and general counsel. It served as a way to define the role he took, covering broad risk and compliance needs. Handling information security analytics with executive support and an organization-wide view.
Removing information security from the IT silo is the right move to truly fight against the cyber threats your business faces on a day-to-day basis. An executive-level CISO can seek out the specialized expertise needed throughout the company, instead of pulling people who only have an IT perspective. The added perspective in making information security decisions provides better protection for all departments, and it helps mitigate the risk that your company could be the next one in the news for a data breach.