mnovelo - Fotolia
Information security is increasingly viewed as a material risk to the company that goes far beyond the domain of information technology. This shift is hastened in some industries by the continued fallout from the landmark Target Corp. and Sony Pictures Entertainment Corp. breaches, which not only cost those companies and their partners millions of dollars but also cost top executives their jobs.
After ousting the CIO and the CEO last year -- the company didn't have a CISO at the time -- Target's board of directors came under fire. Shareholders demanded the removal of seven directors in June 2014 for inadequate oversight and failure to protect customer data. That same month, the National Association of Corporate Directors released guidance for boards on their role in cyber-risk oversight. These guidelines included managing third-party risk, the exploited vulnerability in the 2013 Target breach, which tipped the balance on the U.S. rollout of chip and PIN. (Chip cards with PINs or signatures and the infrastructure to support them are mandated, starting this month, or companies face increased liability.)
The Security and Exchange Commission now requires companies to disclose cyber risks and material breaches. And the Federal Trade Commission is bringing lawsuits against companies for failure to protect consumers' personally identifiable information. In late August, the U. S. Court of Appeals for the 3rd Circuit ruled in favor of the FTC vs. Wyndham Worldwide Corporation. The litigation started in June 2012 after a breach. A closer look at Wyndham's privacy claims revealed that it failed to uphold promised security (lack of firewalls and basic protections). The case is still winding its way through the court system.
The upshot: In 2015, it is not unusual to have board-level discussions about cyber-risk oversight, with concerns ranging from assets at risk to information security responsibility and reporting structures.
How is this working out?
"My take on it is that it depends on the CIO," says Adam Rice, CISO at Cubic Corp., the San Diego parent company of two business units that specialize in global defense and transportation systems. Rice found himself in a board meeting alongside the CIO soon after he took the job in February.
James ChristiansenVice president of information risk management, Optiv Security
"When I went to my board of directors with my one year and two year plan," he says, "and with the CIO sitting next to me -- they asked me, 'Why should you work for her; isn't there a conflict of interest? Why do we have you reporting to her?' "
The vice president and CIO is Jan Marshall, formerly CIO at Southwest Airlines, who joined Cubic Corp. in October 2014. Rice calls her a "big-time CIO." He adds, "In my case, I don't think I will have a problem with my CIO, but if I do, the board asked me to make sure that I tell them immediately if I thought there was a conflict of interest."
"It is a trend now; I've seen more and more of the mature organizations absolutely moving in this direction," says James Christiansen, a longtime CISO who is now vice president of information risk management at Optiv Security (formerly Accuvant and FishNet Security). "I've been in board meetings with four or five companies where this is more of a major subject -- reporting structure, what should the duties of the CISO be and separation of duties," he says.
Shuffling the ranks
Many organizations have elevated the visibility of a dedicated chief information security function but the battle for top talent remains challenging. Some companies are hiring fulltime CISOs for the first time. Others are revisiting reporting structures and shoring up their ranks with CISOs who can attract talent.
Nike is facing a $5 million lawsuit, charged in federal court in January with hiring MasterCard International Inc.'s 15-year CISO William Dennings and another top security manager, and then conspiring with them to poach cybersecurity talent. Eight information security employees left MasterCard to join Nike. In March, the federal lawsuit was broadened to accuse Nike and Dennings, the first-ever Nike CISO, of reconfiguring Nike's network using a "confidential strategy." Dennings has since joined Bitcoin startup Bitreserve Inc. as its first CISO, a move the company announced in June, to work alongside Nike's former CIO Anthony Watson.
In what may be a harbinger of things to come, Booz Allen Hamilton has moved the CISO above the CIO in its corporate structure to increase threat visibility throughout the organization. As Eric Chabrow first reported in his The Public Eye blog in April 2014, executive vice president Thad Allen explained the reporting structure this way:
"The CIO at Booz Allen Hamilton actually works for our CISO. … It has to do with access, to articulate the threat and deal with senior managers on a more frequent basis. Basically, bring the operational threat environment out of the server room in the backroom into the visibility of senior managers."
Security beyond IT
Other companies face similar concerns about the visibility of threat information and data protection processes outside of IT. The major question at the forefront, debated for years: Should the CISO work for the CIO or is there an intrinsic conflict of interest?
"If you have a real grownup CIO then you can work for the CIO, but even in my job I have always run into some conflicts of interest," Rice says. "I think the trend is moving pretty quickly toward separating the CISO from the CIO position."
If the CISO is really just a guy who manages the firewalls, then that's a different situation, according to Rice. "If you have a grownup CISO, who is part of the business and sees his job as risk manager and is part of that solution for a company, with knowledge of regulatory and law and all these data standards, and he contributes to the conversation with the chief legal counsel and chief risk officer at the company … then that person is probably going to end up not reporting to the CIO in a large organization," he says. "The reason for that is the board of directors and all the collateral that they are getting -- magazines and things like that -- ask if the [CISO] role should evolve into an autonomous role."
Optiv's Christiansen -- who was the first global CISO for General Motors and has also filled security and risk officer roles at multiple companies, notably Visa, Experian, Evantix and Las Vegas Sands Corp. -- says the CISO role is changing into a "chief information risk officer." While a chief risk officer is often focused on insurance, the CISO now has to deal with information risk regardless of where that information resides. "When I first started in these roles, my job was really about securing the perimeter," he says. "Today you still have to think about the securing the environment. But when you think about the fact that 50% of IT spend is outside of IT, with all the SaaS applications and cloud security -- securing all those populations and managing third-party risk is now a major part of the job that is piled on to all of the normal duties."
Along with the expanding role, CISOs at mature organizations require business acumen and new skill sets, according to Christiansen. "They need to go into a board meeting and articulate the risks that they are seeing and explain it to all the other people who are reporting to the board, which means they have to change their language, they have to change their presentation style, and they have to be good public speakers."
Data security regulation and liability is also part of the mix. "When I worked at Visa, I did not have to worry about law and the security environment," he says. "Today's CISO has to also understand privacy laws across the nation and across the globe, and he has to be able to translate that to the security environment."
Layers of leadership
As companies attempt to protect more data, both structured and unstructured, data security leadership is also moving beyond the IT domain. A Forrester Research report, "Top Performers Appoint Chief Data Officers," published in August, found that 45% of the 3,000 companies surveyed already had chief data officers.
Fortune 500 companies like Morgan Stanley are also introducing technology committees at the board level to improve governance. While roughly 15 companies have technology committees today, it is unclear whether other organizations will follow suit. Boards are also encouraged to consider directors who have some understanding of data assets, vulnerabilities and general processes that enable the company to detect threats and mitigate them.
As more information security officers take the lead in protecting reputational brands and assets, the CIO and CISO dance remains a delicate balance. Increasingly CISOs are asked to participate in corporate initiatives outside of security programs, such as due diligence on acquisition targets. Companies like Booz Allen Hamilton have flipped the role and now have the CIO reporting to the CISO.
Reporting channels that bypass the CIO and go directly to the board of directors and other C-level executives often result in higher compensation, according to a 2013 salary benchmark report conducted by the Ponemon Institute. That same study indicated that more than 80% of CISOs still reported to CIOs.
If the position reports to a CIO, who is part of the inner circle, with a direct line to the CEO, then that reporting structure can work depending on the people involved. Rice, who has worked as a CSO at a global telecommunications company and had CISOs reporting to him, says the inner circle is still the CEO, chief financial officer and chief executive counsel. While he technically reported to the CEO as a CSO, the "corporate sponsor" was really the chief technology officer.
"The CISO cannot be effective if they are too deep in the organization," says Rice.
About the editor:
Kathleen Richards is the features editor of Information Security magazine. Follow her on Twitter @RichardsKath.
Is there any reason enterprises shouldn’t fill the CISO role?