Who should the CISO report to? Needing justification.

SoCalGuy858SoCalGuy858 CISSP, GCIH, GSEC, Project+The TriangleMember Posts: 150 ■■■□□□□□□□
I'm currently putting together justification for a proposal that would move my company's InfoSec organization out from under IT and make our senior security person on the same level as our senior IT person. I've got quite a few article-based sources for reasoning, but I'm looking to see if anyone has any sources for white papers or anything more official. SANS has come up with one item, but it barely touches on the position we'd like to communicate.

Anything would be appreciated!
LinkedIn - Just mention you're from TE!

Comments

  • tpatt100tpatt100 Member Posts: 2,991 ■■■■■■■■■□
    I remember reading several reasons as to "why" but the biggest was due to conflict of interest so I would look for that first. Your senior IT person can run interference for all of your senior security person's concerns and make his position almost worthless.
  • tpatt100tpatt100 Member Posts: 2,991 ■■■■■■■■■□
    This LinkedIn post brings up some good points:

    5 Reasons the CISO Should Report Directly to the CEO and Board
    Increasingly, it is the board of directors and CEO that are held accountable by the shareholders and the public in the event of an information security incident. So they deserve to be opportunity to make the key security decisions after being briefed on the company’s security posture and threat landscape directly from the most senior security expert in the company and having the opportunity to question this expert.

    If the CISO reports to the CIO the senior IT person may try and sweep issues under the rug if the findings reflect poorly on the CIO. This requires proper soft skills when it comes to employees and management working together rather than finger pointing.
    This reporting structure gives the CISO access to the business leaders so that they can better ensure that the security strategies are aligned with business strategies.

    This is important but I wonder if current CEO's are being educated properly to include a high level understanding of e-commerce, privacy laws and the importance of security. The new and up coming generation is being raised on stories of security breaches but the old timers are probably ignorant and need direct interaction between the CIO and CISO to better coordinate available resources rather than getting second hand security information from the CIO.

    In my current role I am becoming disenfranchised because I was hired by the President of the company but report to the IT manager so all of my concerns are being filtered
  • MishraMishra Member Posts: 2,468 ■■■■□□□□□□
    Always an interesting topic for companies. I've seen many different approaches.

    Only advise is to do a job search for CISOs and come up with your own data on who the position reports to.
    My blog http://www.calegp.com

    You may learn something!
  • the_Grinchthe_Grinch Member Posts: 4,165 ■■■■■■■■■■
    CISO should report directly to the Audit Committee. This allows him/her to voice concerns and take a risk based approach to security, which the audit committee will understand. Also, this takes him/her out of the "business is all that matters" approach that often happens at companies. I've seen it on multiple occasions where marketing or another business unit wants a new piece of tech or access to data asap (controls be darned) and if the ISO is reporting to the CEO or CIO they get trumped.
    WIP:
    PHP
    Kotlin
    Intro to Discrete Math
    Programming Languages
    Work stuff
  • TechGuru80TechGuru80 Member Posts: 1,539 ■■■■■■□□□□
    the_Grinch wrote: »
    CISO should report directly to the Audit Committee. This allows him/her to voice concerns and take a risk based approach to security, which the audit committee will understand. Also, this takes him/her out of the "business is all that matters" approach that often happens at companies. I've seen it on multiple occasions where marketing or another business unit wants a new piece of tech or access to data asap (controls be darned) and if the ISO is reporting to the CEO or CIO they get trumped.
    Not exactly...the CISO needs to report to the top aka the CEO (or board...not sure if that is what you meant by audit committee but generally it would be to the CEO). The CEO ultimately will go down along with other executives of security if not done correctly.

    The CISSP cbk has some good breakdowns of pros/cons of security reporting to various areas. Basically for IT, IT is concerned with availability and has conflicting interests with their own projects and milestones. As a lot of us know the common saying by the organization..."security is just a roadblock". By having the CISO report to the top, views are unbiased and free of other pressures that would let security be loose. In the end security is more of a consultant but we need to be consulting to the ultimate decision maker who has the entire view of the organization...especially from a risk management point of view.
  • OctalDumpOctalDump Member Posts: 1,722
    My inclination is that CISO should report to CEO and/or the board. It probably does matter what the local law is, and what the governance requirements are, but in general, the CISO can deal with issues that require them to circumvent all other hierarchy.

    If you put CISO under IT, then there will be an inevitable conflict between accountable and responsible.
    2017 Goals - Something Cisco, Something Linux, Agile PM
  • tpatt100tpatt100 Member Posts: 2,991 ■■■■■■■■■□
    Yeah the CISO should report directly to the CEO, the Auditors should also report directly to the CEO to avoid conflict of interest.
  • colemiccolemic Member Posts: 1,568 ■■■■■■■□□□
    Ideally, the CISO should report to the CEO. However, in reality, that rarely happens. It is good that you are trying to move it away from IT - as CISO, managerially I report to the Chief Risk Officer, but work closely with the CIO and IT Ops... We are trying to move away from that, but reporting to the CRO has given me a level of independence and objectivity I wouldn't have had otherwise.

    Those are pretty much your three choices. The Texas CISO Council Guide (http://media.wix.com/ugd/618c85_f1e315b1e92844fcaebc9612fd1157c5.pdf ) has a GREAT breakdown on this.
    Working on: CCSP, definitely, maybe. On the twitters: @mcole1008
Sign In or Register to comment.