There’s been a lot of debate about where the chief information security officer (CISO) should fit in a reporting structure. Thinkers in the field have made arguments about autonomy, resourcing and boardroom visibility. All are important considerations. But here’s one more: convergence.
Convergence is a nirvana-like state where cybersecurity, operations, business continuity and corporate functions, like strategic planning, enterprise risk management, human resources, financial management, and facilities management, work together seamlessly. To achieve this sublime state, the CISO must be an enabler, not the person who simply pokes eyes and writes up the findings. While each organization is different, before looking at the CISO’s placement, consider the following.
First, the CISO’s success drivers must be aligned with the organization’s success drivers. The success of the CISO must be traceable to the goals, vision and mission-essential functions of the organization. Consider an ecommerce organization. It may list as its strategic objectives as:
- Be the first choice for consumers to purchase products via the internet by delivering a seamless and secure ecommerce experience.
- Deliver products at the lowest possible price and offer easy, secure payment options.
- Deliver purchases quickly, safely with complete customer visibility.
- Deliver ever-increasing shareholder value.
Couching IT risks in this context is the first step to convergence. For instance, out-of-date webservers are not simply a technical risk, but a risk to all the corporate objectives listed above. If there is a need to fund the replacement of these servers, being able to express the risk in the context of the organization’s corporate objectives is a rallying cry not only to technologists, but to non-technology leaders whose support must be enlisted. An excellent reference to establishing this traceability is the Software Engineering Institute of Carnegie Mellon University’s CERT® Resilience Management Model (CERT-RMM). In CERT-RMM’s Enterprise Focus (EF) and Asset and Definition Management (ADM) process areas, the CISO would track the following relationships as a matter of course:
- Strategic objectives, such as the objectives listed above.
- Critical success factors. What conditions must exist for the organization to achieve these objectives? (For instance, web presence being 99.999 percent available.)
- Organizational services. In example above, these might include ecommerce, finance and logistics. These services must maximize confidentiality, integrity and availability for the organization to achieve its objectives.
- This includes not just technology, but people, information, facilities and supply chain, as well as relevant information about these assets, like their custodians.
- Association of assets with services. If an asset is not resilient, what services are not resilient?
When the CISO ties asset risks to how it affects the success of the organization, he or she is better able to garner support from the rest of the organization in mitigating those risks
Achieving Convergence with IT Organizations
Many thinkers in the cybersecurity space are advocating separation of the CISO from IT organizations within the company, such as those who answer to the chief information officer (CIO). Wherever the CISO winds up on the organization chart, too much separation can be a bad thing. After all, the job of the cybersecurity organization is not simply to say “no,” but to help define how the organization can achieve its objectives with confidentiality, integrity and availability of assets.
To do this, the CISO’s organization must understand not only compliance frameworks, but how an asset is managed. Take for instance the example of the web servers. Employing cybersecurity personnel who know how to provision and maintain a web server makes them a trusted advisor to those who do. An organization’s vulnerabilities are cumulative and often start at the front lines. They happen when a code-testing backdoor is left in an application, when an insecure service is left enabled on a platform, or if a network is not architected with segmentation. Once the CISO’s people can explain why the risk impacts the company, if they can collaborate with administrators and developers to head off a problem before the problem hits a compliance report, it’s cheaper. It’s also easier for the administrator or developer.
The CISO’s Placement
The answer to where the CISO resides depends on the culture of your organization. It also hinges on the processes the organization has in place to tie cybersecurity into the company’s success and the management of information assets. Moving the CISO out from underneath the CIO may increase autonomy, but it may also be a crutch that cordons off the CISO from the people who will mitigate risk at the tactical level.
Regardless of the positioning of the CISO, confidentiality, integrity and availability must be normal part of requirements development and be part of the CIO’s, as well as the CISO’s, performance objectives. So goes the CISO, so goes the CIO, and vice versa. If an asset is not able to support a high-value service so that the organization achieves its strategic objectives, it’s a problem for both and it should be approached as such. Wherever the organization places the CISO, it should first consider convergence.
Lunarline is ready to help your agency in building a sustainable and effective cybersecurity program that meets your organization’s needs and available resources. To learn more about us, visit us online or contact one of our experts today.