ArtFamily - Fotolia

Why a CISO-CIO reporting structure undermines security

The CISO-CIO reporting structure comes with a serious conflict of interest, argues cybersecurity expert Tarah Wheeler. Here's why.

Editor's note: This is an update of an interview with information security researcher Tarah Wheeler, conducted at the ISSA International Conference in San Diego in 2017. There, Wheeler argued that CISO-CIO relationships can undermine an organization's cybersecurity efforts, in particular when companies have their CISOs reporting to the office of the CIO. We recently touched base with Wheeler, a fellow in New America's Cybersecurity Initiative, for an update on her views of the CISO-CIO reporting structure and how organizations are dealing with potential conflicts of interest when the CISO's boss is the CIO.

You have argued that CISOs should not report to the organization's CIO. Why is that?

Tarah Wheeler: When CIOs make tech buying decisions -- for example, enterprise-level software -- that the organization's CISO is then expected to secure, there is a conflict of interest in having the CISO report to the CIO. If CISOs have a different opinion about which enterprise software is better or which would be easier to secure, their capacity to tell their boss that is diminished, because that is the person who pays their salaries.

CISOs are the executives who take personal responsibility for securing an organization. The CISO is the person who signs off on PCI compliance, on HIPAA, on FINRA. They are very frequently the person fired when they can't secure the organization. So, as the person who is legally liable for the security of an organization, the incentives are wrong when their paychecks depend upon them agreeing with their boss.

So a CISO-CIO reporting structure handcuffs CISOs.

Tarah Wheeler, Fellow, New America's Cybersecurity InitiativeTarah Wheeler

Wheeler: It's a double-whammy. It's not just that they're regulating the person who pays them, it is also that the CISO's organization is dependent upon the budget that the CIO approves.

There's a natural conflict of interest between the CISO and the CIO in the same way that the chief of police and the chief of internal affairs have a natural conflict of interest.

So who should the CISO report to?

Wheeler: There are a lot of good reporting structures. Reporting to a CFO often works very well. Some of the most successful ways I've seen this work is having the CISO reporting to the EVP [executive vice president] or the COO.

It rarely works to have the CTO be the person the CISO is reporting to, because the CTO is often the person who is developing products, and their business is very different from the CISO's business.

The CISO is a support mechanism for the company, like HR, like legal. They should not be part of the product and sales of a company. In a tech company, at least, the CTO is usually the chief product officer.

Are you hearing any discussion at the board level on the inherent risk of a CISO-CIO reporting structure?

Wheeler: I am starting to. I am seeing companies start to understand -- and this has only really been since the major fines under GDPR have hit companies and affected their stock prices. Boards are understanding that they need to hear from the cybersecurity chief of the company directly. One of the ways I have seen CISOs solve this [CIO-CISO] reporting conflict is by requesting -- and guaranteeing in their contracts -- that they give at least a quarterly presentation to the audit committee and the board. That doesn't kill all of the problems of CISOs reporting to the CIO, but it ensures that security is getting heard.

Preparing the C-suite for incident response

What follows (below) is Wheeler's original interview. The points still hold, Wheeler said.

How should security professionals prepare the C-suite for incident response?

Wheeler: One of the greatest things you can do is put people together in a room and assign them random roles. Do a role-playing exercise where someone has discovered a breach, and then make sure that the people who are usually in charge of decision-making are the ones who are discovering and reporting the breach. All of a sudden, you find out that there are holes in your process you didn't know existed.

In addition, if you are a company that is really devoted to making sure that people stay safe, and especially if you protect personal information, you need to make sure that everyone down to the janitor has the ability to say, 'Something deeply wrong is happening.' And for that to really work, you have to trust your people. Train them well, educate them well, and make sure that when someone says, 'We need to stop everything and fix this problem,' you believe them and you listen to them. Don't let it get wrapped up in some compliance update three months down the road. If you've got an emergency, treat it like one.

With new tech being introduced, how important is it to reexamine existing data security and privacy processes?

Wheeler: It's more important to secure existing data and existing security processes than it is to introduce additional products. The exploits that are being used right now to break down the walls between criminals and 143 million people that had their information stolen from Equifax was a six-month-old breach in Apache Struts. That is an old technology, and knowing how to patch technology that you have been using for a decade and ensuring that you have a continuous secure process is far more important than trying to buy the newest, cool tool. We need to make sure that our fundamentals are handled first. That protects the most people for the least amount of money. After that, you can go crazy with the new technology.

What should CIOs and CISOs do to prevent security breaches like Equifax in the future?

Wheeler: I'm going to call back to what I originally said [about the CISO-CIO reporting structure], which is that a CISO who reports to a CIO is hampered in making sure that they are capable of telling the CIO that they're screwing up. When we talk about preventing breaches like this in future, the absolute number one thing that CISOs and CIOs need to do is understand who their customers are and whether or not there is an incentive there to protect their security. There wasn't one there in the Equifax breach. That's where the problem lies.

Next Steps

Who should the CISO report to?

Can the CISO-CIO partnership bolster cybersecurity?

How to organize the CISO reporting structure?

Dig Deeper on CIO strategy