Cyber Security – Whose problem is it anyway?

Written By Peter Lescop

A long-standing debate persists regarding accountability and reporting lines for cyber across the industry. Who is responsible for Cyber Security? What should your reporting lines look like? There is no agreed defined standard for you to work from and in some ways, nor should there be. Within this article we’ll discuss the most common options and their pros and cons.

IT – CTO / CIO

Many could argue that the origination of cyber security teams grew out of technology departments, particularly IT. Those early days of the industry often saw cyber grow out of ‘Network Security’, generally those resources configuring and operating firewalls. Or even resources central to the management of logical access.

In many cases your cyber teams being central to technology makes sense, the teams are close to tech strategy and can potentially make the most impact close to those resources integral to technology change. CISO reporting to CTO or CIO makes sense in many ways as well, the voice for technology change with your executives, the CTO / CIO can drive positive change for cyber from a top-down approach. Arguably the likelihood of your CTO / CIO understanding the subject is high as well, especially within the realms of technology domains with cyber.

On the other hand, there are potential negatives surrounding situating your cyber teams within your Technology departments and reporting to CTO / CIO. By far the biggest issue could be the potential of a conflict of interest, especially where change for the improvement of cyber may conflict with general technology change. Examples could be the introduction of stricter authentication controls, such as PAM (Privileged Access Management). From a user perspective this could be seen as ‘slowing’ them down and your reporting lines up to the CTO / CIO could hear that negative feedback. What choice will the CTO / CIO make – improvement of cyber Security or ensure zero impact to throughput with technology resources?

Finance – CFO

Another common approach for reporting of cyber teams is through the CFO. Taking an approach of segregating the cyber teams from technology, this approach ensures little to no conflict of interest as discussed in the previous example.

There are positives to this approach as well. Not everything within cyber is technology focused and a large amount sits within the GRC (Governance, Risk and Compliance) domains. There are many opportunities for synergies with your central Risk and Compliance teams, that often sit within the CFO reporting lines. Your CFO will often have a good understanding of the core GRC concepts and generally can easily apply this to the concept of cyber-Security, providing a valuable resource to lead from an executive perspective on positive cyber change.

On the flip side of this, a negative to this approach means you are not as central to technology change as the previous example of reporting to the CTO / CIO. This could mean you miss out of the opportunity for ease of integration within your core technology strategy and operations. Out of sight, out of mind could mean your direct involvement may be lost within technology teams and thus, lose momentum towards positive cyber change.

CEO – CISO

A less common approach, which is becoming more popular, is the CISO having a seat at the executive table with direct reporting to the CEO and or Board. Supporting the seriousness of the subject of cyber at the most senior level in the business, this ensures that cyber is considered direct within business strategy from the top down.

The CISO sitting alongside your executives makes a clear sign internally and externally of the seriousness your business takes cyber security. Independently reporting to CEO, Board or both, ensuring no conflicts of interest. This approach is the clearest way to ensure cyber is considered within business objectives and strategy from the ground up and discussed at the most senior levels.

However similar to previous examples, this option can be the most isolated. Without the direct reporting to either the CFO, CTO or CIO – will your cyber teams be able to ensure positive cyber change is driven across the business? Will the benefit of direct reporting to the CEO, outweigh the importance of direct integration with your technology or GRC teams?

Does it really matter?

Ultimately there is no one size fits all here, your choice will entirely be dependent on the make up of your own business taking into consideration your business objectives and maturity. A security programme can be successfully driven by a CISO reporting into a CFO, CTO, CIO or a CEO – it all comes down to the capability of the CISO coupled with the seriousness and maturity of the role accountable. Conflicts of interest can arise in any one of these options but can also be navigated through successfully with someone of the right mind to work through.

So does it really matter who the CISO reports into? I’d argue no, provided that the CISO has the relevant seniority and ability to drive the security agenda. There are obviously certain ways to set your store up for success, such as options for direct board reporting – but it is what the CISO makes of it.

Conclusion

In todays organisations where everything evolves around the Digital World, is it not time for the CISO to be sat at the top table alongside other C-Suite members? Or do you think the CISO should report into someone different? Let us know in the comments!

Peter Lescop

Pete Lescop is Head of Risk and Security - Group Security Officer at JT Group Limited, and a committee member of the CIISF.

https://www.linkedin.com/in/peter-lescop-177542b2/
Next

The NCSC Early Warning Service - an Overview