Robert McFarlane, Chief Revenue Officer, Mosaic451
Data breaches are frequently followed by executive turnover and, increasingly, class-action lawsuits. Should the CISO reporting structure be changed to improve cyber security and breach accountability?
Data breaches and the costs associated with them are on the rise. In addition to the direct costs of a cleanup, enterprises are facing further losses from lawsuits. A court recently ruled against fast-food titan Wendy’s motion to dismiss a class-action suit filed by 26 financial institutions after a massive POS system breach, and competitor Arby’s is facing seven federal lawsuits, also filed by banks and credit unions, due to its POS system breach.
Who Is Responsible if a Company Gets Hacked?
The notion that someone must be held “responsible” after something bad happens is as American as baseball and apple pie. Traditionally, after a hack, that “someone” has been the CIO, the CISO, or both, but in recent years, firings have been rocking the entire C-suite.
“I call it the ‘Target effect,’” says Tim Mather of Fortium Partners, an executive leadership consultancy. “Target was the first breach where the CEO got canned along with the CISO and the CIO.” The Target breach, says Mather, set a precedent of breach accountability going all the way up a company’s chain of command.
New York Cyber Security Law Stresses Accountability
The state of New York recently passed a law requiring, among other things, that finance and insurance companies operating within the state hire a CISO, or at least outsource the function. New York’s legislation is an acknowledgement of the importance of having someone with whom the information security buck stops, and other states will likely follow suit, says Mather.“I’m not sure if they will require that companies hire a CISO specifically, but they’re going to demand that someone be individually responsible for security. If something goes wrong, that person, along with the CEO, is going to be held accountable.”
This is how things are done at Aaron’s, a national lease-to-own retailer. Almir Hadzialjevic, Aaron’s Vice President of Enterprise Risk and Security, explains, “While we do not use the CISO title, I am effectively responsible for all of our security functions.”
Modern security leaders need to be cross functional and have the authority to say yes or no to initiatives throughout the organization
Hadzialjevic sees the New York law prompting organizations to rethink their information security and the reporting structure of their security teams.
As breaches continue to escalate, costs continue to mount, and lawsuits and firings keep flying, is it time to rethink the role of the CISO and the security reporting structure?
Does the Current CISO Reporting Structure Aid or Hinder Cyber Security?
Historically, information security has fallen under the purview of the IT department, with the CISO reporting to the CIO, who in turn reported to the CEO or the CFO. However, a growing number of CISOs report directly to the CEO. Proponents of this reporting model feel that it enhances cyber security and clarifies the chain of command and accountability.
At Aaron's, the security team is completely separated from the IT department and the CIO reporting chain; Hadzialjevic reports directly to the General Counsel, who in turn reports to the CEO. Hadzialjevic explains, “Information security is a key, strategic function that touches every part of our business, not just IT. We wanted to establish proper segregation of duties, define clear accountability, and minimize any potential conflicts of interest.”
However, not everyone feels that having CISOs report to CEOs is ideal. Mather believes that having the CISO report to the CIO is still the most logical structure because it ensures that the security and IT functions do not end up operating in silos, which could impede cyber security: “When the CISO reports to the CIO, they are always right there, at all the key meetings for the IT department. They see the CIO all the time and get engaged in hallway discussions.”
A CISO “In Name Only” Is No CISO At All
One of the drawbacks of the New York law, Mather says, is that it doesn’t specify any standards for the CISO position. “A company can pull someone off their help desk, call them a ‘CISO’, and be compliant with the law.” Mather points out that this lack of standards is not exclusive to New York. “CISO’s as a profession are at an inflection point. The profession must decide where it goes from here. Someone needs to set standards so that the CISO title is not cheapened. It’s time for the CISO profession to grow up.”
In the meantime, hiring an unqualified CISO “in name only” is a bad idea all around, regardless of who the position reports to. If a breach happens, it is unlikely that it will shield the rest of the C-suite, the general counsel, or even the board from liability. Organizations that do not have the budget or in-house expertise to handle their own data security are better off outsourcing this function to amanaged security services provider (MSSP). A reputable MSSP can provide around-the-clock security operations support to companies and government entities with mission-critical infrastructure, staffed by experts who understand the importance of an empowered and well-aligned security management team.
Even in cases where an organization has a qualified CISO, partnering with an MSSP is a good idea. Cyber security impacts all facets of today’s businesses, not just IT. With the size, scope, and responsibilities of their roles continually increasing, security leaders often seek to engage effective MSSPs to take care of the 24/7 security legwork so they are free to focus on the big picture.
Modern security leaders need to be cross-functional and have the authority to say yes or no to initiatives throughout the organization. Their budget authority and level of empowerment to successfully execute their roles are far more important than their job title or reporting structure.