That said most CISO’s are buried in their organizations. I would say that while it might be ideal to have the CISO as a department head, some companies may not find that palatable. Therefore the next level down, reporting to a CIO, CFO, General Counsel, etc. does still allow for effectiveness. I mean two levels from the top, when you start to get into the CISO reporting to the CIO reporting to the CFO, you end up with an overly burdensome chain that is similarly ineffective.

Any lower then that second tier and its clear information security is not a strategic concern of the organization to anyone looking at it (vendors, customers, stakeholders, employees).

Further, if you as a senior leader can’t imagine the person you have as CISO at that level of the organization, you don’t have the right person filling your CISO role, as its a strategic one when effective.

Therefore a good CIO has his or her CISO right next to him or her when dealing with the rest of the executive leadership. Or else the CISO is not in IT. But never should the CIO attempt to make information security a sub discipline of information technology, that approach is usually a prelude to failure.

I was reading your blog post and I agree with you that in order to create a serious approach to cybersecurity, “definite leadership” is needed along with “definite authority”. You mentioned in your post how having a CISO report to a CIO can work in certain instances. I have to say, in my experience these cases are few and far between. In order for this reporting structure to work, the CIO would need to have an in depth knowledge of not only Technology but Information Security as a separate discipline.

In many cases, the CIO misses the mark on understanding the need and urgency of security and fails at communicating that understanding to the CEO or executive board or whoever makes the final decision. In my opinion, the CISO should be the CIO’s peer and not a subordinate.

A company needs to be able to have a security leader with excellent business acumen who can translate the real state of security to a decision maker. They need to have the assurance that their recommendations will not be watered down by a boss who simply “doesn’t get it”.

This also eliminates any “fear” of disagreeing with your direct manager in the event the CISO’s views are in direct conflict with that of the CIO.

I think this message is slowly starting to gain traction as the world realizes that Information Security is not something you can fix with a firewall, but involves a lifecycle involving constant study of trends and constant adjustment of existing controls. I say this in view of the many bills that are currently on the House floor relating to Cybersecurity. One particular bill that caught my attention was HR 4900 that involves the creation of a National Office for Cyberspace and a cabinet level position within the executive Office of the President.

The individual chosen to be the Director of the National Office for Cyberspace will need to be appointed by the President but with the advice and consent of the Senate. I think this is a “game changer” and starts to place this “Security lead” in a position on par with other critical agencies with direct access to the President or his immediate advisors. I think this highlights the separation of “Information Security” as a necessary method in the overall approach to overall mitigation of risk.

I thought this was very interesting…

congrats on casting out and getting a hit

-Jason