CISO, CIO and RISK

Risk-CISO-CIO-Org-Structure

For years I’ve spoken about the challenges of data security where security teams are small and lack specific database or file server skills and, DBA and IT operations teams are focused on function and reliability. Over the past year I’ve spoken to many CISOs who experienced some real or perceived conflict between their recommendations and the other responsibilities of the CIO’s office. These CISOs expressed a need to change the reporting structure from IT Security as a function of the CIO Office. Risk, Corporate Operations (not IT Ops) and Board Directors  were all options being discussed.

Just a few months ago the FFIEC’s Management Handbook for 2015 was released which included in its CISO section instructions for CISO reporting, which mirror the conversations I’ve been party to recently. “To ensure independence, the CISO should report directly to the board, a board committee, or senior management and not IT operations management.” FFIEC IT Examination Handbook Nov 2015

There’s no question that the massive data breaches that have continued to increase in data volume and theft frequency over the past 10 years have driven the requirement for a CISO presence in meetings at the highest corporate levels. This is now fueling an increased interest from security teams into what controls exist around corporate data, where traditionally, there was very little interest or at least little technical knowledge.

I’m interested to see whether this report structure recommendation, if implemented, changes the model of acceptable risk within IT. We have seen example after example of corporate data theft from systems that where at massive risk due to little or no security, and/or audit controls in place. As with most things in security the assignment of risk is weighed in large part against corporate gains. A driver for this recommendation from the FFIEC is to limit the possible conflict of interest at the CIO level of supporting new product growth/upgrades and roll-out against security concerns on the same.

At the end of the day, whether the reporting structure changes or not has no direct impact on me, but I’m optimistic that, change, drives a difference in behavior that would further support security’s interest, responsibility and authority for controls around corporate data.