From C to Shining C

by Hank Berkley
Contributing editor

Most departments within a business are distinct and wholly intact which leads to a clear management hierarchy, but technology and its related aspects bring overlap, conflicting goals and confusion. Companies seem to find it particularly challenging to figure out where in the corporate pyramid the Chief Information Security Officer (CISO) fits in. While the title implies a most senior placement, many are justifiably reticent to place these people near the top. Is there a “right” place for the CISO?*

Some industries have seen legislation passed that specifically mentions the title of CISO. While the regulations likely mean to refer generically to a senior security person, they often use the title CISO. This forces companies which might otherwise use a different designation to name someone as the CISO implying a position comparable to a CFO or CIO. For example, New York State’s Department of Financial Services mandates that all banks and insurance companies doing business in the state have a CISO by title, but they don’t define to whom the position should report.

The Boards of Directors for many publicly traded companies are increasingly concerned about cybersecurity and many regularly hear from senior management about the status of security matters. Each board defines the level of detail it wants to hear. While the CISO makes the presentation personally in some firms, others choose to roll it into an internal audit report or as part of an operations discussion. The choice is often made based on the level of trust the board has with an individual, giving a lot of consideration to finding a person who can speak at the appropriate level to help the board understand the issues. It is not based on the title of the presenter.

The average tenure for a CISO in the US is a bit over 2 years according to Ponemon. Most have no particular industry expertise, preferring to focus on the very technical aspects of information security. Experience has shown that many of these relatively young technicians don’t have a good understanding of the need to balance risk within a business. Certainly, without any longevity within an enterprise, these CISOs are not likely to understand the risk tolerance of their organization. Providing some of these people with open access to the Board of Directors may not be the best choice.

That same Ponemon study found that more than 1/3 of CISOs would leave a job if they did not feel that the company was spending enough on security or if their employer was not taking security as seriously as they felt was appropriate. While many of those people may be able to consider the needs of the company, for others it suggests they have some bias in their views. Should those people present to the board?

And all this says nothing about whether a CISO can address the board in the business terms it is looking for. Cybersecurity is an important topic and having its value diminished by someone with a slide full of acronyms is not helpful. Having a well-balanced discussion that can be understood in business terms is essential. The last thing you should want is a decision that is based on who has the best PowerPoint deck.

On the other hand, placing the CISO within the rest of the IT organization may reduce the security team’s ability to balance its function against that of operations. You wouldn’t have the internal audit group as a part of the accounting department!

So where does security and specifically the job of the CISO fit?

It turns out that it isn’t an organizational question. It is a question of who that individual is and what competences and knowledge they bring to the table. CISO candidates are in short supply today; most are young and without a lot of business experience; and many tend to speak more in acronyms than in English. Most of them will need support from other groups to build an understanding of the business and its culture. He or she may help prepare a document for the Board of Directors to consider but might not be the one to present it.

It is important to have a good CISO but finding one who can fill the very technical aspects of the job, communicate at a high level and balance the needs of the business is extremely difficult today. It may be necessary to compromise and then adjust the position to provide appropriate support in places where your CISO falls short. The key is to be flexible and not get locked in to an organizational chart.

* All of this is in very broad terms and should not be construed as a condemnation of any specific individuals. The abilities of each person should be considered in each unique job.

Mr. “Hank” Berkley is an Information Technology adviser with over 30 years in the Industry, 10 of which were as the VP of a Fortune 500 property and casualty insurance company. He is an expert in IT operations, cyber- security, software contract negotiation, and cyber-risk evaluation.  His focus with clients is to balance IT costs with business benefits, and to build an information security program that matches their business and compliance requirements with their risk appetite. Hank graduated Magna Cum Laude from New York University’s Stern School of Business with degrees in Information Technology, Management and Marketing