I’ve been thinking about this one for a while. I’ve seen some CISOs who are amazing at what they do, and I’ve seen plenty that can’t get anything done. After working with one that I think is particularly good lately, I’ve made some observations that has changed my mind about the modern day CISO reporting structure.
The TL;DR of this post is if you have a CISO that claims they can only get their job done if they report to the board or CEO, you have an ineffective CISO.
All change, even change in our organizations tends to obey Newton’s Third Law of motion. For every action there must be an equal and opposite action. Change happens because there is something driving that change. Change doesn’t happen because someone is complaining about it. A CEO demanding action could be your incentive. Maybe you need better security posture to help sales. Maybe you had an incident and making sure it never happens again is a driver.
What’s the inception for security change in your organization? If bad security is holding back sales, that’s easy to understand. But what happens when there isn’t an obvious need for security? All change in an organization, especially security change, will be the result of some other action. In our case we are going to call that action our incentive.
Now let’s think about incentives in the context of a CISO. I hear a lot of stories about how a CISO has to report to the board, or the CEO, or everyone in IT should report to the CISO, or some other crazy reporting structure to give the CISO the power they need to do the job. The number of permutations on this is huge. Why do we think like this? Much of the time, the reason I hear is that the CISO needs to be a part of decision making. It’s important for an organization to be secure and if the CISO isn’t at the table for every decision, nothing will be secure because nobody else knows how security works. It is of course mostly CISOs saying this, which should surprise nobody.
From what I’ve seen the reason there is talk like this is because in a lot of organizations the security team, and by extension the CISO, is so ineffective at driving change the only way to get it done is to get someone at the top of the company to demand everyone listens to the CISO, or else! In most instances this isn’t going to be an effective long term strategy. It will work for a little while, then everyone will get sick of it and start looking for a new job.
I’ve seen plenty of examples where the CISO shows up, makes demands with no actionable guidance or plan, gets told no, then blames everyone else because they can’t do their job. Handing the IT team a PDF of the ISO 27001 standard then telling them that’s what they have to do is about as useful as showing up at a restaurant with an actual cow and demanding they make you a hamburger with it. When nothing gets done because nobody in IT knows where to even start it’s not ITs fault. It’s the security team’s fault for not giving actual guidance. If they blame IT, having the CISO report to the board isn’t going to suddenly make things better. What it will do is ensure the security team doesn’t get the blame they deserve. It might drive some change if they can get people yelled at or fired, but even then it’s not going to be lasting change. It will be chaotic change.
Now on the other side I also know of CISOs that have built teams that don’t need a CEO or board to back them up. They have programs and teams that are highly respected within the organization. They’re not seen as a black hole that slows everyone down and generally spreads misery and little else. They empower teams to work better and faster. They understand what risk actually is and they make it work for them. Their advice is something other groups seek out and ask for help, then get the help they need and probably some things they didn’t even know they wanted. This is what an effective CISO looks like. It doesn’t matter where they report because their leadership is earned, not enforced. A team like this could report to the janitor and still get more done in a week than the CISO reporting to the board gets done in a year. It’s an amazing thing to watch.
Everyone who works in modern IT understands why security matters. There are plenty of stories around leaked databases, stolen logins, unpatched servers, and more. Nobody wants security to be optional, but if your security team is difficult there is a real disincentive to avoid working with them. The only way you might be able to get other groups to even talk to security is if the CEO is demanding it. They might get the job done, but it will often be in spite of security, not because of security. In many of these settings the incentive is fear and obedience. It’s not secret that these are not good motivators. I do think I would read the business book titled “Fear and Obedience” out of morbid curiosity, but I’m not sure I’d want to work for the author.
I have no doubt not everyone will agree with this particular article. I’m OK with that. I’d love to hear from you. I’m @joshbressers on Twitter. I truly value all feedback, especially feedback that disagrees with my thoughts. I’m not going to say there is no place for a CISO reporting to the board, or the CEO, or the janitor. I think every organization and culture is unique and should be treated as such. I do think anyone who claims they can’t do their job because they lack the authority is probably not going to do much better once they have their fabled authority. It’s the proverbial dog catching the car.