Changed ground realities—increased compliance responsibility for the CISOs, stances by some regulators, and the impending data protection laws—force a relook at the CISOs reporting
The Chief Information Security Officer (CISO) is a position within an organization whose genesis lies in the IT department. Just as there are executives in the CIO’s team responsible for IT infrastructure or enterprise applications, there were those who were responsible for IT security—those who ensured that the computers, the networks and the applications remained safe. Like their infrastructure and applications counterparts, they too reported to the CIO.
So far, so good.
Certain developments changed this status quo.
First and foremost, digitalization of everything meant that security issues arising due to vulnerability of digital technologies were suddenly no more the traditional network or endpoint security. While the technology decisions for these new digital technologies—often tightly integrated with operational technologies like manufacturing technologies—were being taken by the non-IT executives, security was too specialized for them. They turned to the guy who was seen as the most knowledgeable on these aspects—the head of information security. Many security heads equipped themselves with new skills and knowledge and did manage to live up to the expectations. That was the first time, security executives spread their wings beyond the contours of what was called enterprise IT.
Secondly, importance of security grew manifold. It happened because of two prime reasons. One, as more and more parts of business got digitalized, an attack had the potential to stall the business, not just slow down some information processing, as in the earlier period. So, it became a business risk. Also, the attacks changed—both in their motives and complexity. The earlier proposition of building bigger and bigger walls and expecting everything would be safe was no more valid. Security was now active combat—something enterprise IT was not used to.
These two brought a fundamental shift in terms of security as a priority. And the term ‘cybersecurity’ that became the standard was coined to denote the new risk. With that, it became part of business risk strategy—rather than IT strategy.
For the last six years, two cybersecurity risks—Data fraud/theft and Cyberattacks—have been featuring among the most likely global risks in the World Economic Forum’s annual Global Risk Report (GRR).
The chart shows the rising profile of cybersecurity risks in the last five years, as identified by the GRRs from 2015 to 2019. While cybersecurity risks have been featuring as ‘most likely’ risks all these years, in the last two years, ‘cyberattack’ has featured as one of the most impactful risks as well.
This year cyberattack was identified as a risk that is more impactful than such risks as large scale involuntary migration, interstate conflict and food crises.
Naturally, business leaders are worried. And cybersecurity threats are today being considered as an important business risk. That has made many organizations consider aligning cyber risk management with the risk function rather than IT function.
But few organizations are ready because challenges are many. It is a highly technical job. And often, some of it is so tightly integrated with the other IT systems that it is difficult to separate the two functions.
CISOs’ Reporting Dilemma
A 2017 Ponemon Institute study found that as many six out of ten CISOs report to a technology manager. The report said 50% of the CISOs reported to the CIO while another 9% reported to the CTO.
India is no different. A study by CSO Forum last year found that 34% of CISOs report to the CIOs. About 18% report to heads of risk, compliance or legal. While 10% report to CEO/COO, another 19% report to heads of risk/legal/compliance. This is apart from 11% CISO roles held by CIOs themselves.
The realization that CISO role now extends beyond IT is slowly but steadily sinking in.
Experts believe if CISOs wish to play a bigger role, they must not only have the necessary technical expertise and leadership skills, but must also be able to articulate security risks and their mitigation from a business perspective.
“Data leak and fraud issues are no longer mere technical issues but have started to become broader people and process issues with strong cultural underpinnings. The CISO is expected to have a leadership view of the business problems that otherwise seemed as technical issues,” says MakarandSawant, Senior General Manager – IT, Deepak Fertilisers and Petrochemicals Corporations Limited.
Sawant reiterates that CISOs need to have a focused approach on security, compliance and business continuity.
“If we reel back to a decade or so, we observe most CISOs first started reporting to the CIO. This made some sense because CIO is expected to best understand cybersecurity issues. However, modern research has shown that the CISO role was created not only to secure IT systems and data, but a big part of the role is outside of IT,” says Milind Mungale, EVP and CISO, NSDL e-Governance Infrastructure Limited.
That’s because CIO’s main goal is managing and implementing information technology, which is substantially different than securing and protecting it. In this reporting structure, cybersecurity can fall to a secondary consideration, leading to a team’s lack of confidence to be cyber ready, he says.
“When the cybersecurity teams report directly to a designated and experienced cybersecurity executive, they report having significantly more confidence in their team’s capability to detect attacks and respond effectively,” explains Frank Downs, director of ISACA’s cybersecurity practices, in its new 2019 State of Cybersecurity study.
Some believe, reporting to the finance head or the CFO seems logical. Since finance intersects with every other area, including IT, risk management, procurement, tax, audit, and some involve the CISO’s responsibility as well, there’s some clarity when taking critical decisions about cybersecurity spending. But others argue that CISOs in such a set up are expected to show the benefits of cybersecurity investments, which may be a big challenge. Also, in organizations, where CFO lacks sufficient technical understanding, getting the budget for developing security policy and procedures may be tough.
So, a few suggest reporting to the CEO may be the best option. David Katz, a partner in Nelson Mullins Riley & Scarborough, a US-based law firm, believes this type of reporting maintains the independence of the CISO role and can enable “frank and candid discussion with respect to risk, resources, prioritization and conflict that may arise among the larger group of stakeholders within the entity.”
IDC predicted that 75% of CISOs would report to the CEO, but it’s still the exception—rather expectation—than the rule. ISACA is also advocating that information security must be part of boards of directors’ agendas and CISOs should be installed, reporting to the CEO.
What is driving the change?
The argument to change the CISOs’ reporting—taking it out of enterprise IT—based on the growing importance of security does not always cut ice with the top management of organizations where IT maturity is high, and CIO is a very senior person and is given a lot of resources. The CISO can report to CIO and yet be quite a senior person.
A more valid argument is that security concerns by CISOs often seems to ‘slow down’ things for other IT colleagues. While everyone is trying their best to complete a project before time—giving their best—the CISO, by definition, has to point out any security gap, which will contribute to slowing down of the rollout, making the CISO unpopular. “It often leads to depression when two of us are seen as the guys in the team who slow down things,” says a senior security professional.
Even if a CISO holds to the decision, it can still be overruled by the CIO, whose objective is also to show how fast the projects are rolled out. In effect, a CISO/security head becomes a contrarian-in-residence for the enterprise IT team. In organizations, where the appreciation of security risks is low, this can make the CISO position virtually ineffective.
It is with these thoughts that some regulators have mandated that CISOs should not report to the CIOs.
In India, Reserve Bank of India, the banking regulator, has specified it in no uncertain terms.
Way back in January 2011, an RBI working group on electronic banking, constituted under the chairmanship of RBI’s the executive director G Gopalakrishna, recommended that “CISO needs to report directly to the Head of Risk Management and should not have a direct reporting relationship with the CIO.The report also recommended that the CISO position be held by a sufficiently senior-level official of the rank of GM/DGM/AGM.
In June 2016, RBI came out with a comprehensive cyber security framework, with a focus on compliance measures and a cyber-crisis management plan. The CISO position assumed huge relevance, and the framework expected the CISO to play a pivotal role. The framework mandated that banks have a separate cybersecurity policy, different from an information security policy.
Within a year’s time, RBI once again came out with a document clearly articulating the CISO role. The new mandate was for the CISO to directly report to Executive Director (ED) or the equivalent, overseeing the risk management function. Therefore, the CISO now has more board visibility than ever. RBI has very clearly positioned the CISO role along with the CRO to establish a strong risk management framework. They both should have strong communication and work together to enable a holistic risk management approach and both the positions report into the ED with their respective teams.
The insurance sector regulator, Insurance Regulatory Authority of India (IRDAI), followed RBI’s footsteps and drafted a comprehensive cybersecurity framework offering guidance for insurers, which was released in March 2017. IRDA also joined RBI in mandating that CISOs report to the head of risk. Risk, interestingly, is the business of insurance. So, that is the level of importance given to a CISO in insurance.
While all banking and insurance CISOs are today reporting to the organizational risk head and not the CIO, the reasons for which the regulators have mandated these arrangements are not only restricted to these two industries. They can be valid reasons for any industry—even though there is no regulator to mandate that.
Another major regulatory/policy statement that further tilted the equation in favor of CISOs’ responsibility is the impending personal data protection legislation, draft bill for which was released in July 2018. It is expected that this may be passed by the Parliament in the next 6-9 months.
The legislation that seeks to protect personal data of individuals will be binding on companies dealing with personal data of Indian citizens—like the European GDPR.
The bill provides for a Data Protection Officer (DPO) who would be responsible to ensure that the personal data being dealt by the organization is protected and is not misused or compromised. In the West, such positions are held by either attorneys or people with information security background. In India, it is expected that the CISOs will take up DPO positions, as there are few legal professionals available with adequate technology knowledge. Since the bill specifies that DPO position can be non-exclusive, CISOs can hold the position without giving up the CISO role. Since, it is a significant corporate role, a CISO handling this will invariably have to be outside the IT function—to be able to do justice to the role.
A Gartner report suggests that both roles are complementary in most sense, if not all, which suggests that the CISO may, with some additional training and education, assume the DPO role, which involves personal data security, privacy and confidentiality assurance.
“While efforts for formulating the bill have to be lauded, it must be noted that the bill has to be refined further to clarify certain provisions, offer more clarity to the CISO roles and responsibility and specify “appropriate mechanisms” for the same,” says Sheril Jose, Head- Cyber Security at Pune-based Emcure Pharmaceuticals
While Personal Data Protection legislation is a very important legislation that needs to be complied with by companies, it is, by no means, the first compliance requirement for businesses. Apart from many horizontal requirements, there are vertical specific regulation too. And all these compliances have to do significantly with technology, bringing them to the CISO’s platter. With many Indian companies still not having a compliance officer, it is the CISOs who often take overall responsibility.
So, overwhelming is compliance requirements that it is now a significant part of the CISO’s overall responsibility. According to the CSO Forum study quoted above, as many as 24% of CISOs see themselves as an organizational risk manager and 13% see themselves as prime custodian of governance & compliance. The same study also found that most CISOs (59%) identified compliance while another large chunk (54%) identified governance. These two figured above ‘threat’, ‘safety’ and ‘prevention’ and in the same league as ‘protection’—the raison d’ etre of the CISO position.
Needless to say, much of the compliance work has to do with creating policies, carefully ensuring that they are adhered to. Technology just enables that, as it does most business functions today. This further strengthens CISOs’ claim for a reporting outside the IT function.
Beyond regulation: Business reason
At least one industry—other than banking and insurance—has realized the need of CISOs, independent of CIO’s organization. While the reason for banking and insurance is regulatory mandate, this industry’s reason is purely business related.
The industry, of course, is IT-BPO (IT/ITES) industry. This industry in India, is unique because it carries out the back-office (including IT) functions of global corporations. A senior CISO with good grasp of their security concerns—with information being handled in a third world country like India—goes a long way in assuring clients.
During their due diligence visits, many clients have meetings with the CISOs to be assured that their information would be handled with highest standards of security. In the early days of IT/BPO industry, they often met the IT heads too, but not anymore. India has already demonstrated its infrastructure resilience, not to talk of IT skills.
Indian IT/ITES industry is the only example of an industry which uses CISOs to market.
Apart from these three industries, there are organizations that are sensitized about the importance of security and hence have CISOs reporting to senior levels. For instance, in Reliance Jio, the CISO reports to the chairman.
But such businesses are still exceptions than the rule. The Personal Data Protection legislation may change that.
But CIO-CISO partnership still vital!
Irrespective of the reporting structure, some believe that the CIO’s role is equally vital in the organization’s overall cybersecurity strategy. In a recent article by McKinsey, Oliver Bevan, an associate partner in McKinsey’s Chicago office, and his co-authors, observe, “The CIO team has an equal stake in addressing cyber risk throughout the processes. Their equality is absolutely essential, since CIO and team are primarily responsible for implementation and will have to balance security-driven demands for their capacity with their other IT “run” and “change” requirements.”
With changing times, both the CIO and CISO roles are starting to work well together more than ever before. “The roles of the CISO and CIO have certainly become more collaborative. Now, they realized that security cannot exist in a vacuum, so both executives are focused on understanding the other’s perspectives and working towards the same goals of accessibility, security and organizational resilience,” says Jose of Emcure Pharmaceuticals.
In fact, research shows that CISOs are more effective when they are viewed as equal partners within the management structure. Leigh McMullen, research vice president at Gartner, notes in his blog that security leaders must strategically balance between the business and IT and therefore his collaboration with the CIO has to be sound.
Even the RBI working group on electronic banking noted the same. While clearly recommending against CISOs reporting to CIO, it observed, “However, the CISO may have a working relationship with the CIO to develop the required rapport to understand the IT infrastructure and operations, to build effective security in IT across the bank, in tune with business requirements and objectives.”
New realities require new decisions
As evident, the changing landscape of regulation, business changes and rising profile of cyber risks have put the CISO role in a critical position. In addition, the CISO’s changing responsibility profile makes them work on more of risk management than technology selection and implementation. The debate of CIO-CISO reporting needs revisiting.
Some organizations have created separate cyber security leaders designated CISOs, while the IT security is still managed by the CIO’s organization.
Organizations must find their own solutions based on the current business needs rather than continuing with the status quo because it is convenient.