Rick Howard: I have been doing chief security officer or chief security information officer jobs for the past 18 years. For the purposes of this episode, I'm going to use both titles interchangeably. There is an entire different discussion about what the difference is between the two titles that I will not tackle here. I will save that for another day. Suffice it to say that, during my security career, I either had the role myself or advised others in the role about how to think about the job. One of the permanent topics that always surfaces in those circles is, where do these people fit into the organization? In other words, who should the CISO report to?
Rick Howard: My name is Rick Howard. You are listening to "CSO Perspectives," my podcast about the ideas, strategies and technologies that senior security executives wrestle with on a daily basis. On this show, we are talking about where the CISO fits into the corporate organizational structure and why it came to be.
Rick Howard: There are many schools of thought about these ideas. And today, there is no one correct answer. It really is dependent on the organization's culture. But to understand that, the first thing I want to be very clear about is that the CSO, in most cases, does not have the same weight and authority as other officers in the organization with the letters C and O in their title, like the chief executive officer or the chief finance officer or the chief technology officer or the chief marketing officer or the chief legal officer. According to Chelan David at Smart Business, shareholders elect board directors to oversee the business. These directors choose officers to run the company day-to-day. Because of their officer role, these people assume a fiduciary responsibility to the shareholders. The rest of the organization's people are just employees.
Rick Howard: Typically, CSOs - and CIOs, for that matter - are not corporate officers. They are employees with fancy titles. Some, including me, find that disheartening. Consider that the internet really became useful to business, academia and government sometime in the early 1990s. Since then, there has been a steady state of ever-maturing and increasingly damaging cyberattacks in the form of cybercrime, espionage, hacktivism and continuous low-level nation-state conflict. Thirty years later, you might be wondering why board directors don't demand that a CSO or maybe even a chief risk officer be appointed as a corporate officer. Now, I have a couple of theories about why boards haven't done this despite the evidence.
Rick Howard: Theory one - we did it to ourselves. According to some business historians, a guy by the name of Alfred P. Sloan was the inventor of the modern corporation way back in 1923. If you listen to NPR, you've probably heard his name inserted into commercials with phrases like, funding from the Alfred P. Sloan Foundation. Mr. Sloan was a complicated man, but the organizational structure he imposed on his car company, General Motors, was wildly successful and imitated thereafter by everyone else. He instituted things like decentralized management or general managers for multiple product lines, keeping the corporate staff small for the purpose of setting policy. He installed an annual operating forecast for each division, he required near real-time metrics, and he established the standard that general managers are duty-bound to put the interests of the company ahead of their own.
Rick Howard: From the early 1930s to the mid-1980s, everybody used Sloan's model for corporate governance. It didn't change at all for 50 years until the modern personal computer started to become a must-have business device. CEOs started to realize that these PCs weren't just data-processing machines. They might be the nucleus for a business strategy that could give them a competitive edge.
Rick Howard: In 1985, American Airlines stole Max Hopper back from Bank of America. It's a complicated story. But in the end, American Airlines gave Max the lofty title of senior vice president of information technology. According to CIO magazine, this made Max the first ever CIO. Harvard Business School's James Cash said that Hopper legitimized the role by making it clear that there was a unique contribution to be made by someone who understood technology and could help influence the business strategy.
Rick Howard: The good news is that it looked like the captains of industry realized at just about the right time, just a few years before the internet really became useful, that technical leaders who understood business could really be valuable to the bottom line. BusinessWeek magazine declared just a year later that the chief information officer was management's newest star. The bad news was that we didn't see the first CISO until 10 years later. In 1995, in the wake of a very public Russian malware incident, Citicorp hired Steve Katz as the first ever chief information security officer. Steve was, and is, a great avatar for what a CISO should be. He was cut out of the same cloth as Hopper, a technician who could talk to business leaders. Unfortunately, other CISOs hired subsequently didn't quite meet that standard.
Rick Howard: Now, this is a gross generalization, but many new CISOs that came after Steve grew up on the technical side, myself included, and had difficulty expressing technical risk in terms that business leaders could understand. They couldn't convert technical risk into business risk. In the early days, every potential security problem was a crisis, and CISOs got the reputation quickly for being the Dr. No of the organization. They said no a lot, and they got the reputation for being so hard to work with that the corporate officers decided they didn't want to deal with them. It wasn't long before senior management started to stuff CISOs underneath the CIO within the organization. And that is what I mean when I said we did it to ourselves. We didn't adapt to what the business leaders needed and got relegated down the leadership chain because of it.
Rick Howard: Theory two - cyber risk does not need a corporate officer. Let's take it as a given that cyberattacks have grown in maturity and capability to potentially affect the bottom line. Even if that is true, I can still make a strong case that in general, the probability that a cyber adversary will materially impact a specific business, university or government organization is pretty small compared to other business risks. The probability is absolutely higher for some organizations for sure. For example, right now, I wouldn't want to be a small town or a hospital of any size because ransomware criminals seem to know where to find you.
Rick Howard: In general, though, the probability of material impact by a cyberattack for most organizations is not any greater than 100 other risks that senior leadership needs to weigh. If that is the case, why does a board director need a CISO on the executive staff? Why can't one of the other corporate officers handle it, like the CFO, the CLO, the CTO or the CIO? Indeed, that is what most organizations do. The board directors may advise the corporate officers to hire CISOs and have them report the infosec status to the board on a regular basis, but they are perfectly fine letting the network defenders work for an existing corporate officer.
Rick Howard: Now, I don't have any proof that these two theories are true. From my observations bumping around the industry these past two decades, I haven't seen any conflicting evidence that would contradict them. But this is all conjecture on my part. The truth is that the reason that CISOs are just employees and not corporate officers is probably a combination of both theories, plus three or four other factors for which I'm not aware. What that means is that, in today's business world, CISOs generally work for three kinds of bosses - the CIO in most cases, some other CXO as a peer to the CIO in some cases and the CEO in rare cases. For each situation, I've seen the structure work very well. In others, I've seen complete train wrecks.
Rick Howard: It all depends on the culture of the company, the leadership style of the corporate officers and the working relationship between the CIO and the CISO. There's no one best case here. My advice to newly minted CISOs in brand new corporate gigs is to work with whatever situation you have. The chances that you're going to change the situation while you are there are small. My personal preference is to have the CIO and the CISO work for the CEO as peers, as corporate officers, along with the other CXOs in the organization. But like I said, those kinds of gigs are rare. They are also unlikely to become less rare in the future.
Rick Howard: The bottom line is that there is no one right situation. If you have a preference for one organizational structure over the others, then either pass on the job if the situation is not right for you or just learn to live with it. With the right culture and leadership in place, you can get a lot of good work done as a CISO. And it is highly rewarding work. Just understand where you fit in the hierarchy going in, and you'll have a lot less stress.
Rick Howard: And that's a wrap. If you agree or disagree with anything I have said, hit me up on LinkedIn or Twitter, and we can continue the conversation there. Next week, I've invited the CyberWire's pool of experts to the Hash Table to discuss what they think is the CISO's place in the organizational structure. You don't want to miss that.
Rick Howard: The CyberWire's "CSO Perspectives" is edited by John Petrik and executive produced by Peter Kilpe. Our theme song is by Blue Dot Sessions, remixed by the insanely talented Elliott Peltzman, who also does the show's mixing, sound design and original score. And I am Rick Howard. Thanks for listening.