The debate about whether information security is part of IT or not is one that has been ongoing since information security first rose to prominence as a subject. Security itself is not solely an IT issue, but as the percentage of the security threat that comes the internet has increased over the years it has, perhaps understandably, come to be seen as that. The problem stems from the fact that there is no real consensus on where information security sits, what its remit is, how you define success (or otherwise) and where the buck actually stops if something goes wrong.
Although the role of the CISO has been around for a while it has risen to prominence recently because information security is seen a priority by an increasing number of organisations. The challenge is that information security is an evolving discipline and so there are still different views of what the scope of the function should be. In addition, different organisations often have different starting points when it comes to security leading to functional structures that can differ widely from organisation to organisation.
Because most of the information a company holds these days is digital you can see why many CIOs see the protection of it as something that sits with them. The increasing power and prominence of the CISO therefore is seen by some as a threat, but the reality is, with security breaches being such a risk for organisations, both financially and reputation, it is unsurprising that the role of the CISO has become more important in the eyes of the business.
In many ways it is actually better for the CIO if the two functions are separate. It makes a clear statement to the whole organisation that cyber is no longer just an IT problem. This makes risk conversations with business leaders much easier and drives quicker remediation by driving accountability into the areas where the teams are most empowered to enable change. For the CIO it removes the conflict of interest jeopardy, which makes for better decision making in the long run.
In the same way that there are benefits to the CIO from information security being separate, there are also benefits to being part of IT that a CISO should consider. It is perhaps easier to get what you need from a team when you sit inside it, than it is being external. There is a danger that IT considers security as ‘no longer its problem’.
The fact remains that inside or out, much of the delivery around information security relies on IT. Many information security leaders talk about the importance of having security built in.
“Within many organisations there is a growing acceptance that the battle to defend the digital perimeter is now over as we embrace a more interconnected business ecosystem. The challenge is now one of protecting data, and this can only be achieved by designing services with security in mind rather than trying to add it on as an afterthought,” says James Smith, Senior Information Security Consultant with Savanti.
So although there may be a functional separation of teams IT and information security will need to work very closely together a lot of the time. The important thing therefore is not about who gets to boss who around but how you design a structure that will enable a close working relationship.
One way to approach this is with the creation of a Cyber Security Centre of Excellence, with a dual reporting line (one dotted) to both the CISO and CIO. The remit of the CoE is to deal with all the technology related aspects of information security, which largely falls into 2 areas: IT security operations, and IT security architecture. All other security functions sit in the CISO team (policy, risk, governance, education, secure by design, assurance etc).
“This approach can work well because it ring fences resource for information security meaning that it doesn’t need to fight for time and focus with other IT priorities,” says Smith. “One of the issues that CIOs face is that their teams often have competing priorities. Information security needs can end up at the back of the queue because, rightly or wrongly, they are not seen as delivering business value. It is difficult to measure ROI on information security and therefore harder to demonstrate success.”
Because of the rather nebulous nature of information security there are actually no hard and fast rules about what the function looks like, what elements should be built in house and what outsourced or how you define its responsibilities.
Whatever the right solution for your organisation turns out to be it will almost always be a sensible idea to get an external perspective – if only to prevent friction developing. “You will find there is an awful lot of variation in what an information security team looks like from business to business. There are no established models that are agreed on across the industry,” says Smith. “Building something that works for you requires the right mixture of specialist skills and deep company knowledge. You need to find a partner with experience across a number of models and the ability to work with a range of often siloed internal functions.”
So the question is not really about whether the CISO reports to the CIO at all but whether you can design and implement a function that has the structure and clout within the business to get leadership thinking about information security in the right way. It is also about information security being seen as business enabler rather than a necessary evil; something that provides an organisation with the capability to achieve its potential safely. How you create that shift in perception however, is an article for another day.