Should the Federal CISO Reporting Structure Change?
Published: August 12, 2015
Week after week we continue to hear about security breaches across public and private sector organizations. Could conflicted priorities in the CIO shop be contributing to the problem? Would a change in reporting structure for the chief information security officer (CISO) lead to better network and data security? A recent report on HHS information security by the House Committee on Energy and Commerce made me ponder these questions.
The committee report claimed that part of the problem with information security within HHS divisions was caused by conflicting priorities between the CISO and the CIO to whom they report. The report found that the CIO office was prioritizing operational concerns over security concerns. Additionally, “…the CIO-CISO hierarchy prevented the CISO from requiring full system audits.”
The House committee recommended that the CISO should be placed under the purview of the Office of the General or Chief Counsel because information security has evolved into a risk-management activity, traditionally overseen by the legal team. The committee asserted that, “This reorganization is an important first step toward creating a system that incentivizes better security.”
I personally found this recommendation rather odd, but interesting. Does the CISO function in other agencies report to the legal team? Is this reporting structure common in private companies?
In my cursory search, I was not able to find any federal CISOs who reported to the Office of General Counsel or to any office other than the CIO. However, in the private sector there is a debate regarding whether the CISO function should report to the CIO or directly to the CEO.
The House committee consulted with industry experts and analysts who cited a “growing trend in the private sector to restructure information security operations so that CISOs report to a senior executive other than the CIO.” These experts referred to a 2014 ThreatTrack Security survey that showed less than half of CISOs surveyed still reported to their CIO. The new reporting structure “eliminates the tensions between security and operations that the traditional structure creates,” according to the House report.
A recent Wall Street Journal Article echoes the debate about the most effective CISO reporting structure. According to the article, “Target’s decision in 2014 to order its first CISO … to report to [the] CIO … was criticized by cybersecurity experts who said that he should report to the CEO to provide the clearest view of the company’s cybersecurity posture.”
In the private sector, the concern with CISOs reporting to CIOs is that security may play second string to revenue generating activities. Additionally, cybersecurity return on investment is often difficult to quantify. In a February FierceITSecurity article, the author writes, “Can you imagine the CIO telling the CEO that his department spent millions of dollars and nothing happened? … But that's what happens when IT security is done properly.”
Regardless of the reporting structure, all seem to be in agreement that the CISO and CIO must work in close collaboration. According to the WSJ article, “Close collaboration between the CIO and CISO is a good way to present comprehensive security postures to boards, says Robert Logan, CIO of defense contractor Leidos Holdings Inc.”
HHS has not publicly commented on the House committee report. It’s unknown whether they plan to implement the report’s CISO reorganization recommendations or if other federal agencies are considering a change in CISO reporting structure.