Chief information security officers are gaining more autonomy and oversight as companies shift cybersecurity away from the technology chief’s control.
Many legacy cybersecurity teams are established in technology departments, where CISOs reported to the chief information officer. Today, by giving CISOs a broader view and better negotiating power across the organization, companies are acknowledging the growing importance of cyber risk and addressing a potential conflict of interest between technology heads and the security personnel who may have different priorities.
“In 2018, reporting lines have more to do with allowing for a security risk conversation over the whole technology landscape,” said Geoff Brown, chief information security officer of New York City.
Two-thirds of companies said their chief executive and board of directors have direct oversight of cybersecurity, according to a recent Accenture survey of 4,600 security practitioners at companies with $1 billion or more in revenue. CIOs also had less control over cybersecurity budgets in 2018, 29% vs. 35% in 2017, according to the survey.
Broad security risk conversation. New York established a “cyber command” in 2017, an effort in part to pull the CISO role out of reporting through technology organizations in city agencies, Mr. Brown said. The CISO role now reports through both the deputy mayor for operations, the equivalent of a chief operations officer for the city, and the deputy mayor, the number-two city executive to Mayor Bill de Blasio.
The result has been greater visibility across numerous city agencies, and an easier central point of contact for city partners, like private businesses, state agencies and federal law enforcement, said Mr. Brown.
Companies can set up this structure in many ways, but the key is to avoid burying the CISO under layers of technology reporting, said Anthony Belfiore, chief security officer for insurance company Aon PLC.
“You need to make sure that your heads of security are on equal footing with the heads of tech, otherwise there is an inherent conflict at play,” said Mr. Belfiore, who oversees his company’s cybersecurity function as CSO. That conflict can take many forms, he said, including the CISO not having authority to slow down innovation projects driven by the CIO if there are security concerns, or vital security initiatives not faring well if the CIO has to reduce expenditures.
Companies can minimize the conflict by having the CISO report to the head of operations, as in New York City, or to the company’s general counsel, said Mr. Belfiore. Companies that have CISOs reporting to CIOs can mix in reporting lines to legal, risk or the CEO office to offset potential conflicts, said Mr. Belfiore.
Allowing CISOs to push unpopular projects. Support from top executives can alleviate the struggles of pushing tough initiatives, a problem CISOs often face, said Don Welch, chief information security officer of Pennsylvania State University.
After joining the university in 2016, Mr. Welch took over the cybersecurity function in all 84 of the university’s separate IT organizations and brought them under one central office. It was one of his “most unpopular projects,” Mr. Welch said. It would have been more difficult without having a direct reporting line into Penn’s chief financial officer as well as the university’s provost, the equivalent of its CEO, he said. His line of reporting is parallel to the university’s CIO, he said.
“Some people were very happy to give up that security responsibility, but some people didn’t want to trust when these were things they had been in control of for years,” he said. “People will generally accept [security] arguments better if they think there is no hidden agenda of taking other IT power away.”
Original report can be found on WSJ.