Why the CISO Should Not Work for IT: Normalized Deviance

There is an important debate about the role of the Chief Information Security Officer (CISO), or, more precisely, about where in the organization the CISO should report.   According to a Wall Street Journal piece:

High-profile data breaches have ignited debates about whom the CISO should report to. Many CIOs say corporate IT is best secured when CISOs report to them. But some consultants say that CISOs should report to CEOs to avoid conflicts of interest that could hamper cybersecurity. For others, reporting structures are less important than maintaining secure business outcomes.

In my view, for reasons of independence and given the importance of cybersecurity, the CISO function ought to report to any independent office outside of IT, or to the CEO.   .

To get to the heart of this, let’s first dive into the role of the CISO.

John Rostern makes a critically important distinction:

There are two broad categories of security functions in any organization, security operations and oversight.  Security operations includes functions such as account provisioning, access control, and the management, configuration and deployment of security infrastructure (firewalls, IDS, etc.) and related network components. Security oversight is a governance activity that validates that security operations are being performed according to documented policies, standards and procedures and that those operations are effective in meeting the legal and regulatory requirements of the organization.  A key part of the governance aspect of this position is the role is setting appropriate policies that are aligned with the business stakeholders.

Technical security operations undoubtedly remain within IT.  Security oversight and governance, which is the domain of the CISO, have moved well beyond the technical — and into the world of policy and strategy:

From a corporate strategy perspective, [information security] has transferred from largely technological to one with a substantial human component…. Indeed, the advent of the CISO role comes from the need to bridge the gap between the technology-facing part of the business and the strategic and operational element. The role is changing from a predominantly IT risk-focused position to one that is principally enterprise risk-oriented.

In other words, the core competencies required for the CISO governance function are enterprise-level management and strategy, not just technological.  In other words, the CISO cannot have her strategic view blocked by a CIO whose domain and demands may compete.

This is consistent with a report by the National Association of Corporate Directors, the American International Group and the Internet Security Alliance which concludes that it is imperative to approach cybersecurity as an enterprise-wide risk management issue, not just an IT issue.

Critically, by keeping the CISO out of IT, one allows for independent oversight of the security function.  Rostern:

[T]he role of the CISO requires …independence in providing objective, independent oversight with respect to information risk management and security.

What threatens the independence of the CISO if they were to stay within IT?  IT business needs.  According to the WSJ article:

One concern about having the CISO report to the CIO is that cybersecurity measures may take a back seat to revenue-generating activities, says Avivah Litan, a Gartner Inc. cybersecurity analyst.

Jeff Spivey, international vice president of the Information Systems Audit and Control Association (ISACA) says:

The CISO should not report to the CIO.  It’s very difficult to bring up issues to a management level that needs to resolve them. That needs to be offset somewhere else so it’s not an incestuous relationship.

These latter points are borne out by a recent report by the House Committee on Energy and Commerce, released upon completion of an investigation into information security breaches at HHS.  The report concludes that where information security competes for attention with other IT priorities, the situation can lead to “normalized deviance,” that is, accepting greater and greater safety risks to meet operational goals.  Indeed:

By separating information security from information operations, this reorganization addresses the inherent subordination of HHS’s information security program. It eliminates the ability of officials responsible for information operations to “normalize deviance” in order to ease operational pressures, as they no longer possess information security responsibilities, nor does information security exist in their chain of command.

It removes information security from the IT “silo” and facilitates the inclusion of expertise across HHS in information security decisions. In particular, the placement of the CISO within the Office of the General or Chief Counsel specifically acknowledges the fact that information security has evolved into a risk-management activity, traditionally the purview of the legal team.

Finally, the trend is headed in what I think is the right direction.  According to CEB:

Although the majority of chief information security officers (CISOs) still report within the IT function, there is a shift towards reporting outside of IT.

John Linkous, a consultant, thinks the numbers of CISOs not within in the IT function is greater than does CEB, and sums all of this up nicely:

Today it’s rarer to find a CISO that reports to a CIO than it is to find one who reports to the CEO. Independence from IT is an absolute requirement for the modern information security officer, just as independence is required between the CFO and a financial auditor, a valuable lesson we learned from SOX, which also has implications for information security.

The formula is really quite simple. We know that audit independence is the primary key to successful financial controls. Similarly, an independent CISO is the key to successful cybersecurity controls.