Reporting to Technology
It is natural for a CISO to find themselves reporting to the CTO. The technical skills required for a solid understanding of the state of the security of a product are developed by curious minds rising through the ranks of the engineering unit of a business either on the quality or development side of the team.
These folks can have a deep understanding of the technical limitations of solutions that their teams have built and this makes them keenly aware of the technical problems that need to be resolved. At the same time, the CTO is constantly facing demands to ship features faster limiting allocations to any investments that won’t drive the acquisition or retention of the next customer.
This makes this reporting structure an excellent choice for organizations that need to do a little shopkeeping, but also need to sustain a great deal of forward momentum.
However, if confidentiality, integrity or availability are mission-critical, then the drive for the next feature may compromise security. The CTO is incentivized to ensure momentum more than s/he is incentivized to maintain security. This tends to yield anemic allocations for security tasks and can be highly problematic in highly regulated industries like health, finance, energy, transportation, and defence.
Another challenge with this line of reporting is that the CISO will often be promoted from within. That means that they will have exceptional technical skills, but may lack a broader understanding of enterprise security, and business continuity. A good CISO understands the information threats to the company, not just the product.
A third challenge with this reporting line is that the consistent underfunding that can result will lead to a fear-driven culture for operations rather than one on innovation. Embracing change is critical for companies that need to remain relevant. Some might argue that businesses have a “growth imperative”, surprisingly a Marxian concept [wikipedia/Growth_imperative], but I would suggest that they just need to instead consider a Darwinian concept [wikipedia/Natural_selection]. The fear of change arises from the real impact that outages and other security events have on the lives of those supporting the operations of services and products.
“Sorry honey, I can’t come to your birthday tonight because my boss told me I need to go to work to get the application running again.”
This fear of change will be felt most acutely when the need for change is the largest and most critical.
Reporting to Finance
Security is often viewed as insurance because security tools are used to mitigate risk. It is therefore much more rational that the CISO reports to the CFO than it might seem at first blush. Strategy is about running out onto the field and getting the ball. Security is making sure that the bully doesn’t beat you up and take it away. Finance is keenly interested in ensuring that the business remains solvent. That means that it needs to draw revenue before its runway is exhausted. It needs to cost-efficiently manage realized liability. Finally, it needs to mitigate potential liability to limit the amount that translates to realized liability such that it doesn’t render the company insolvent.
Having the CISO report to finance requires that the office be able to articulate the impact of exposure in dollars. It requires that the officer be able to frame the cost of mitigations in the context of the company’s risk tolerance. The likelihood of exposure is difficult to assess and the scientific minds that think about it, tend to express it in vague terms that are difficult to act on. Framing it in terms of how much should be invested to mitigate the cost of the potential impact may provide a better approach.
However, a CISO who enters into or is promoted from within the finance organization may not have the technical skills to fully appreciate the technical risks posed by weaknesses in the product. This kind of knowledge can be critical to understanding the threats.
Reporting to Operations
Operations is another common chain of command for a CISO. Operations is highly concerned with sustaining service. Availability is mission-critical for this business unit. This intense focus on uptime results in a bias against change. Once the path to recovery for an application or service is known, it is easily repeated. When failures are novel, it can be highly stressful to resolve them. This need for consistency requires the attention of staff focused on that task, and so this organizational unit is a natural home for a CISO.
Having the CISO report to operations ensures that they live where the action is at. It enables them to be highly responsive to evolving situations. They will hear very early about incidents and be able to respond.
However, the availability bias of this business unit can compromise the CISO’s ability to advocate for critical features that enforce confidentiality and integrity.
“That data access might not have been permitted, but it is still internal and therefore not a big deal. We can deal with that bug later.”
“So long as it’s up, we can advise our clients of workarounds.”
This focus on the “right now” biases security decisions under this business to focus tactically rather than strategically. A balance is necessary so this bias can lead to security debt.
A CISO in this position is likely to have the technical chops to run infrastructure. This is a common way for them to land in this position given they grew in or were hired into this business unit. They may not have a deeper appreciation of the other pillars of security and the in-depth knowledge of AppSec provided by officers with a more technical background, but they will have a better understanding of organizational risks like key knowledge, recovery, and exposure/breach reporting.
Reporting to the Executive
Organizations to whom security is most critical will want to have the CISO at the executive table. Service security is a concern that cuts across all business units. If growth is not impeded by a lack of certification or attestation, you may well not need to have the CISO at the executive table. However, if you are accumulating latent exposure risk faster than you realize, you may regret your decision. If the CISO is not at the executive table, one strategy to mitigate risk would be to engage in a formal risk management program to ensure sustained awareness of risk accretion.
Choose your reporting line according to your business needs. Consider your vertical in this decision. Realize that security is a counterbalance to strategy. In other words, make sure that when you get the ball, the bully can’t take it from you.