Maybe it really does matter who the CISO reports to

[Audrey McNeil <audrey () riskbasedsecurity com>]

http://www.csoonline.com/article/2365827/security-leadership/maybe-it-really-does-matter-who-the-ciso-reports-to.html

Target’s recent appointment of Brad Maiorino was received with great
fanfare this past week, an indication that Target was willing to bring in
the “big guns” to address security in the wake of last Fall’s massive data
breach at the big box retailer. But the disclosure that the position will
report to Target’s CIO has rekindled the debate about what the most
effective reporting structure should be for the CISO to deliver better
overall security.

In last week’s ‘SANS Newsbites’ newsletter, Stephen Northcutt, Shawn Henry
and John Pescatore debated the wisdom of this reporting structure with
Northcutt and Henry arguing that it diminishes the effectiveness of the
CISO. Pescatore, on the other hand, claimed, “there is zero real-world
correlation that security goes up - or down (when the CISO reports to the
CIO)”. While I agree with John that the relationship between the CISO and
his/her boss is critically important to the CISO’s success, I am compelled
to point out that there actually is empirical data supporting the argument
that having the CISO reporting outside of the CIO’s office does improve the
organization’s security when measured against downtime and financial losses.

This finding comes from the 2014 Global State of Information Security
Survey, conducted each year, for more than a decade, by PwC, CSO and CIO
magazine. I’ve not previously called-out this data because I thought this
argument had been put-to-bed…apparently I was wrong. So here it is:

- with more than 9,000 respondents from around the globe, the survey found
that those organizations in which the CISO reported to the CIO experienced
14% more downtimedue to cyber security incidents than those organizations
in which the CISO reported to the CEO
- and, when the CISO reported to the CIO, financial losses were 46% higher
than when the CISO reported to the CEO. In fact, having the CISO report to
almost any position in senior management other than the CIO (Board of
Directors, CFO, etc.), reduced financial losses from cyber incidents

I also examined the findings from the 2013 survey and found the same basic
conclusion: reporting to the CEO or the Board of Directors, instead of the
CIO, significantly reduces downtime and financial losses resulting from
cyber security incidents.

I’ve always believed that not every organization is the same and that no
one model will work everywhere. However, there’s a lot to be said for
having IT security leadership report to the top of the house, but not to
the CIO: the reduction in conflict of interest between the CIO’s objectives
and the CISO’s objectives, the ability to escalate issues to the top of the
house, as well as, the opportunity it provides for security to influence
corporate leadership. It's critical that the CISO and the CIO work together
towards the common goal of aligning security with the business objectives
and risk appetite of the organization, but it's clearly best done when they
are peers with an equal voice in the discussion.

_______________________________________________
Dataloss Mailing List (dataloss () datalossdb org)
Archived at http://seclists.org/dataloss/
Unsubscribe at http://lists.osvdb.org/mailman/listinfo/dataloss
For inquiries regarding use or licensing of data, e-mail
        sales () riskbasedsecurity com 

Supporters:

Risk Based Security (http://www.riskbasedsecurity.com/)
YourCISO is an affordable SaaS solution that provides a comprehensive information security program that ensures focus 
on the right security.  If you need security help or want to provide real risk reduction for your clients contact us!