Share this article on:
Anna Leibel from the The Secure Board advisory service discusses the changing nature of corporate leadership in the cyber security space.
Organisations constantly grapple with creating structures to ensure business functions work together. In the information age the challenge was to decide whether the lead technology executive, the CIO, would report into the CEO, the CFO, the COO or some other C-suite executive.
Today, that debate has expanded with the position of the lead security executive, the CISO, under increasing scrutiny.
Should the CISO report to the CEO, or is the chief risk officer (CRO) the best reporting line? Perhaps the function should report to the CIO or even the CFO, given cyber security has a strong technical and financial risk element.
The reality is that each of these options has its own pros and cons. The CRO might be right in some organisations but they may not have the technical knowledge and skills to understand the challenges and ask the right cyber security questions. If the CISO reports into finance, that may lead to a cost-averse security strategy. On the other hand, maybe that’s the best place for a new cyber security team that needs funding to ramp up.
The common decision to have the CISO report into the CIO makes sense from a technical level but if the CISO reports to the CIO, then that may look like they’re checking their own homework. If that's the case then perhaps you have a great CISO and the wrong CIO.
Great CISOs are not just strong technical leaders. They are great leaders who can operate across the entire organisation. They build and nurture strong relationships within the C-suite, build trust with the board and can work with auditors, regulators and other key stakeholders. Their capabilities go well beyond technical prowess and encompass strong communication and interpersonal skills.
However, in organisations with hierarchical structures, authority can be conferred through job titles. And that means ensuring the CISO has a position that makes their authority to act clear. In some businesses there is a marked difference in the authority between a department head and a general manager. That can mean a head of security finds it harder to pursue their cyber security agenda than someone with the title general manager -security or CISO. They may all have the same responsibilities, but the security leader must have authority to carry out their role.
Great security leaders are not just technical experts. They are able to influence others and take the lead on educating the entire organisation. That’s not just up and down the org chart but across business functions. While they may not have a hands-on role in every element of the execution of the cyber security strategy, they have the communication skills, empathy and authority to ensure the entire enterprise follows them. And like all great leaders, they have the self awareness to see their own strengths and weaknesses and build teams that complement each other.
Building respect and trust with a board and senior leaders is perhaps the most important thing a CISO can do. There will be times when a CISO needs to say ‘No’ to the CEO, their board or a leadership peer. Building rapport and respect will ensure that those hard conversations are a little easier and received respectfully.
The CISO needs a reporting line that makes sense for that business. The reporting line and job title need to ensure that the CISO’s authority to act matches their responsibilities. That line will depend on the maturity and goals of the organisation.
Whether it's the COO, CRO, CEO or CIO will depend on where the business believes it best fits. More critically, it’s important to have a CISO who understands the business, can build relationships across every layer and department, and has the responsibility and authority to execute their duties.
Anna Leibel is the co-author of 'The Secure Board' book and co-founder of The Secure Board advisory service.