BIRMINGHAM – Since the role of CISO was invented by Citibank in 1995 there have been frequent debates on reporting structure. The most common shape for that debate is: should the Chief Information Security Officer report to the CIO or the CEO? As someone who lived through the great quality revolution in automotive, I have long advocated for the CISO to report directly to the CEO. In recent months I have come to the further realization that it is time for the CIO to report to the CISO.
Let’s review quickly the early 1980s when Japan was at the top of its miraculous growth in manufacturing. In only a few decades it had moved from the world’s supplier of shoddily made trinkets to the top producer of quality automobiles. US manufacturers were churning out clunky rattle traps with tolerances measured in inches while new Toyotas and Hondas had tolerances measured in millimeters.
Ford, GM, and what was then Chrysler, embarked on a quality revolution. Remember Ford’s mantra? Quality is Job #1. Much of the auto industry’s success came about from a simple fix to org structures. Every manufacturing plant had its quality department already, but the head of quality reported to the plant manager. He or she had no ability to enforce quality standards because the plant manager viewed shipping products as job #1. The fix was to change reporting. The quality manager now reported to someone outside and above the plant manager. They were empowered to enforce quality at the expense of shutting down an entire plant if needed.
But most CISOs still report to the CIO who controls their budget and is able to veto critical security requirements in favor of cost saving or other priorities. After all: business comes first.
There is one advantage to having the CISO report to the CIO. In the event of a major breach the blame can be put on the CISO. I think you will agree it is better not to have a breach than it is to have a scapegoat.
It is the CIO who decides to move the company to Office 365. It is the CIO who picks the VoiP solution. It is the CIO who orchestrates the move to the cloud and the consolidation of all the data centers. The CISO’s job is to ensure there are security controls over all these moves. They take on all the responsibility for the security implications but do not get to veto the wrong decisions.
Turn that around. Put the CISO at the top of the org chart, reporting directly to the CEO and even having a seat on the board of directors. Now the CIO role is ancillary to security. She is still responsible for deploying new technologies and managing IT infrastructure, but her budget is controlled by the CISO. She knows that every proposed project will have to incorporate strong security justifications.
But wait. CISOs are very specialized. They are experts in regulatory compliance and comfortable putting out fires instead of building things that are secure. How can we flip flop the roles?
It has been 22 years since the CISO role was first introduced. There is supposedly a dearth of qualified people for the many open CISO positions posted every day on Linkedin. How will it be possible for organizations to signal their intention to make Security Job #1 if they cannot even find CISOs, let alone CISOs that can manage the entire IT department? Simple. Make the CIO the CISO and have him hire a CIO to do his old job. There are already a few instances of CISOs being promoted to CIO. Take advantage of those moments to elevate the CISO role.
Another avenue is to recruit from a top ten financial institution. The CISOs there manage staff of thousands and budgets of well over $100 million. Of course, they are perfectly capable of taking on the CIO role at just about any large corporation. They will jump at the chance to finally build a secure enterprise, one that treats security as Job #1.
This article is published as part of the IDG Contributor Network in CSO for IDG.
