Target’s recent appointment of Brad Maiorino was received with great
fanfare this past week, an indication that Target was willing to bring
in the “big guns” to address security in the wake of last Fall’s massive
data breach at the big box retailer. But the disclosure that the position will report to Target’s CIO has
rekindled the debate about what the most effective reporting structure
should be for the CISO to deliver better overall security.
Best practices for protecting sensitive business information while making people productive from Learn More
In last week’s ‘SANS Newsbites’ newsletter, Stephen Northcutt,
Shawn Henry and John Pescatore debated the wisdom of this reporting
structure with Northcutt and Henry arguing that it diminishes the
effectiveness of the CISO. Pescatore, on the other hand, claimed, “there
is zero real-world correlation that security goes up - or down (when
the CISO reports to the CIO)”. While I agree with John that the
relationship between the CISO and his/her boss is critically important
to the CISO’s success, I am compelled to point out that there actually is
empirical data supporting the argument that having the CISO reporting
outside of the CIO’s office does improve the organization’s security
when measured against downtime and financial losses.
This finding
comes from the 2014 Global State of Information Security Survey,
conducted each year, for more than a decade, by PwC, CSO and CIO
magazine. I’ve not previously called-out this data because I thought
this argument had been put-to-bed…apparently I was wrong. So here it is:
with more than 9,000 respondents from around the globe, the survey
found that those organizations in which the CISO reported to the CIO
experienced 14% more downtime due to cyber security incidents than those organizations in which the CISO reported to the CEO
and, when the CISO reported to the CIO, financial losses were 46% higher than when the CISO reported to the CEO. In fact, having the CISO report to almost any position in senior management other than the CIO (Board of Directors, CFO, etc.), reduced financial losses from cyber incidents
I also examined the findings from the 2013 survey and found the
same basic conclusion: reporting to the CEO or the Board of Directors,
instead of the CIO, significantly reduces downtime and financial losses
resulting from cyber security incidents.
I’ve always believed that
not every organization is the same and that no one model will work
everywhere. However, there’s a lot to be said for having IT security
leadership report to the top of the house, but not to the CIO: the
reduction in conflict of interest between the CIO’s objectives and the
CISO’s objectives, the ability to escalate issues to the top of the
house, as well as, the opportunity it provides for security to influence
corporate leadership. It's critical that the CISO and the CIO work
together towards the common goal of aligning security with the business
objectives and risk appetite of the organization, but it's clearly best
done when they are peers with an equal voice in the discussion.
No comments:
Post a Comment