That may seem a strange question from an ex-CISO like me so let me be clear. The enterprise almost undoubtedly needs a CISO. But, it is my proposal that the CISO may be more effective reporting into another functional area. It depends on what type of CIO you are, and what your organization needs from its information security program.
Not all organizations are big enough, sophisticated enough, or funded well enough to support a high-end information security program. In that case, the enterprise needs to define the mix of priorities and skills that the CISO will need to have to best support the organization. As part of this process, the CIO needs to do an honest self-appraisal. If you are the type of CIO that aligns with the type of CISO the enterprise needs, then by all means, be their manager. But if you are not, then advocate that the CISO report to the manager that will provide them with the greatest opportunity to successfully contribute the greatest value to the enterprise.
John Kirkwood of Security Innovations outlines three types of CISOs (http://www.csoonline.com/article/print/702330).
- The first type is the Technical Information Security Officer (TISO). According to Kirkwood, this type of CISO "specializes in technical security issues, operations and monitoring. The TISO also coordinates and manages technical policies and control and assessment activities."
- The second type is the Business Information Security Officer (BISO). Kirkwood states that a BISO "specializes in information security issues related to the business" and that their purpose is "to ensure that the business unit or division understands that information security is a business requirement".
- The final type of CISO is the Strategic Information Security Officer (SISO). Kirkwood describes a SISO as one who "specializes in translating high-level business requirements into enterprise security initiatives and programs that must be implemented to achieve the organization's mission, goals and objectives."
Given these different types of CISOs, who should the CISO report to? Kirkwood discusses several possibilities but ultimately states that the CISO should report to "the most effective manager, depending on the type of CISO."
So let's get back to my original proposal. Does the CIO need a CISO? Or in Kirkwood's terms, is the CIO the most effective manager for the CISO? Kirkwood says the answer depends on the type of CISO the enterprise needs, but a more complete answer takes into consideration what type of CIO you are. And, Kirkwood's classifications of CISOs can be applied just as well to CIOs.
Remember Jeff Foxworthy's comedy routine "You might be a redneck if …"? Well, this is a variation of that. You might need a CISO if ...
You might need a TISO if you are a Technical CIO. If you are primarily concerned about managing the IT infrastructure and keeping the lights on, then you need a CISO that focuses on the technical aspects of information security such as securing the perimeter, protecting access rights, detecting breaches and responding to incidents. But, if your organization needs a BISO or SISO, it might be best that the CISO report to the business or risk manager.
If your primary activities are centered on making IT a business enabler, providing customer-facing technologies, or managing customer related information, then you are a Business CIO and might need a BISO. You might need a CISO that understands securing applications, protecting personally identity information (PII), and enabling secure business partnerships. But, if your enterprise needs a SISO, it might be best that the CISO report to the executive responsible for establishing strategy or managing risk.
Of course, these examples are not binary. The best information security program would have multiple CISOs (though they would not all have the CISO title) and would include every type of CISO. It would be headed by a SISO who establishes the enterprise's information security strategy, to not only assure its alignment with the enterprise's mission, but to make it an competitive advantage. The program would have BISOs with a dotted-line relationship with the business managers and focus on enabling their initiatives securely. Finally, it would have TISOs with dotted-line relationships to the CIO to focus on the technical infrastructure related to information security.
Does every company need an Information Security program? Yes, absolutely! Does every mature Information Security program need a C-level leader? Yes. Must the CISO report to the CIO? No, not necessarily. The CISO should be placed in the organization where it can contribute the greatest value to the enterprise. The CIO should be involved in the discussion, but their advice should be tempered by the recognition that the CISO's place within the organization needs to be well aligned with the type of CISO the business requires and that may not be within the CIO's realm.
Written By: John Millican, April 2012. John is a Principal with the Office of the CIO Professional Services