In many if not most enterprises, the chief information security officer reports to the chief information officer. After all, enterprises cannot function without IT, and security is a support function to safeguard data and systems. Or is it?
Today, when cyberthreats are pervasive, should securing critical information assets be put above the operation and managing of information technology?
Not only do you have to walk the talk in managing your own firm, but you have to be a model on how you handle risks.
Booz Allen Hamilton, the business, military and government management consultancy, seems to thinks so. Its CIO reports to its CISO.
I learned of that arrangement when speaking with Thad Allen, the Booz Allen executive vice president who leads the firm's Departments of Justice and Homeland Security business. You may remember Allen as the former Coast Guard commandant who led the U.S. government's response to the BP oil spill in the Gulf of Mexico in 2010.
We were discussing how the current cybersecurity environment is changing the role of the CISO. I asked, "How should CISOs turn to their advantage the greater interest in cyberthreats among upper management and board members?" Here's how the retired admiral responded:
"Sometimes it's the locations where the CISOs are at in relation to the CIO of the organization and senior leaders. The CIO at Booz Allen Hamilton actually works for our CISO. We have elevated the role of security function associated with information to an all-encompassing umbrella, in which we consider all of our systems operations. It has to do with access, to articulate the threat and deal with senior managers on a more frequent basis. Basically, bring the operational threat environment out of the server room in the backroom into the visibility of senior managers."
Frankly, I was stunned by Allen's revelation. I've heard of organizations treating CISOs and CIOs equally, with both reporting to top executives. But I've never heard of a CIO reporting to a CISO, so I asked Allen to repeat his declaration.
"At Booz Allen Hamilton, that's correct."
Allen explains that the nature of Booz Allen's business - advising businesses, the military and government clients on matters regarding national and information security - requires it to demonstrate the importance of security in its operations.
"If we're to go out to deal with government agencies or the private sector, we're dealing with information security issues," he says. "Not only do you have to 'walk the talk' in managing your own firm, but you have to be a model on how you handle risks, on how you're going to defend your networks, and that was clearly our intent."
I began covering information technology 30 years ago, at a time when security hardly was on most organizations' radar and, in fact, most enterprises saw data processing - the term for IT at the time - as a support function for the finance department. But in the 1980s, some forward-thinking organizations began to realize the strategic importance of information and elevated their directors of data processing to a new, high-level position called chief information officer. Senior executives realized their enterprises could not function and attain their strategic goals without IT.
Fast-forward a generation, and we find ourselves living in a society where IT is integrated into everything we do. But technology cannot function unless it's secure. "It's hard to [separate] the management of networks and the IT functions from the security functions that have to be embedded with them," Allen says. "There are many ways you can put that organizational structure together. But they have to be unified, and that has to be visible - and senior management has to be involved."
In the Coast Guard, Allen says, a two-star admiral functions as CISO and CIO as well as its cybercommander. "My feeling when I was a commandant was that we needed to have a single view on how our networks were operated and how they were defended," says Allen, who retired from the military in 2010.
Today, you cannot isolate IT and security from each other. As organizations evolve, the distinctions between IT and security blur, so managing them becomes an integrated endeavor.
Should CIOs report to CISOs or vice versa? Should the same executive perform both functions? Is there another, better model? Please share your thoughts in the box below.