I have been doing Chief Security Officer (CSO) or Chief Information Security Officer (CISO) jobs for the past 18 years. For the purposes of this essay, I am going to use both titles interchangeably. There is an entirely different discussion about what the difference is between the two titles that I won’t tackle here. I will save that for another day. Suffice it to say that, during my security career, I either had the role myself or advised others in the role about how to think about the job. One of the permanent topics that always surfaces in those circles is where do these people fit into the organization? In other words, who should they report to? There are many schools of thought about this, and today, there is no one correct answer. It really is dependent on the organization’s culture. But to understand that, the first thing I want to be very clear about is that the CSO, in most cases, doesn’t have the same weight and authority as other officers in the organization with the letters “C” and “O” in their title like the:
- CEO (Chief Executive Officer)
- CFO (Chief Financial Officer)
- CTO (Chief Technical Officer)
- CMO (Chief Marketing Officer)
- CLO (Chief Legal Officer)
According to Chelan David at Smart Business, shareholders elect board directors to oversee the business. Directors choose officers to run the company day to day. Because of their “officer” role, these people assume a fiduciary responsibility to the shareholders. The rest of the organization’s people are employees. Typically, CSOs and CIOs (Chief Information Officers) for that matter, aren’t corporate officers. They are employees with fancy titles. Some, including me, find that disheartening.
Consider that the internet really became useful to business, academia, and government sometime in the early 1990s. Since then, there has been a steady state of ever-maturing and increasingly damaging cyberattacks in the form of cybercrime, espionage, hacktivism, and continuous low-level nation-state conflict. Thirty years later, you would wonder why more board directors don’t demand that a CSO, or maybe even a CRO (Chief Risk Officer), be appointed as a corporate officer. I have a couple of theories about why boards haven’t done this despite the evidence.
Theory 1: We did it to ourselves
According to some business historians, a guy by the name of Alfred P. Sloan was the “inventor of the modern corporation” way back in 1923. If you listen to NPR, you’ve probably heard his name inserted into commercials with phrases like “funding from the Alfred P. Sloan Foundation.” Mr Sloan was a complicated man, but the organizational structure he imposed on his car company, General Motors, was wildly successful and imitated thereafter by everyone. He instituted things like:
- Decentralized management, or general managers, for multiple product lines keeping the corporate staff small for the purpose of setting policy.
- Installed an annual operating forecast for each division.
- Required near-real time metrics.
- Established the standard that general managers are duty-bound to put the interests of the company ahead of their own.
From the early 1930s to the mid-1980s, everybody used Sloan’s model for corporate governance. It didn’t change at all for fifty years until the modern personal computer started to become a must-have device. CEOs started to realize that these PCs weren’t just data processing machines. They might be the nucleus for a business strategy that could give them a competitive edge.
In 1985, American Airlines stole Max Hopper back from Bank of America. It is a complicated story, but in the end, American Airlines gave Max the lofty title of senior vice president of information technology. According to CIO magazine, this made Max the first-ever CIO. Harvard Business School’s James Cash said that Hopper legitimized the role by making it clear that there was “a unique contribution to be made by someone who understood technology and could help influence the business strategy.”
The good news is that it looked like the captains of industry realized at just about the right time, just a few years before the internet really became useful, that technical leaders who understood business could really be valuable to the bottom line. Businessweek magazine declared just a year later that the Chief Information Officer was management’s newest star.
The bad news was that we didn’t see the first CISO until 10 years later. In 1995, in the wake of a very public Russian malware incident, Citicorp hired Steve Katz as the first-ever Chief Information Security Officer. Steve was, and is, a great avatar for what a CISO should be. He was cut out of the same cloth as Hopper, a technician who could talk to business leaders. Unfortunately, other CISOs hired subsequently didn’t quite meet that standard.
This is a gross generalization, but many new CISOs that came after Steve grew up on the technical side and had difficulty expressing technical risk in terms that business leaders could understand. They couldn’t convert technical risk into business risk. In the early days, every potential security problem was a crisis, and the CISO quickly gained the reputation of being the Doctor No of the organization. CISOs said no a lot and got a bad rap for being hard to work with, so hard that the corporate officers decided they didn’t want to deal with them. It wasn’t long before senior management started to stuff CISOs underneath the CIO within the organization. This is what I mean when I say we did it to ourselves. We didn’t adapt to what the business leaders needed and got relegated down the leadership chain because of it.
Theory 2: Cyber risk doesn’t need a corporate officer
Let’s take it as a given that cyberattacks have grown in maturity and capability to potentially affect the bottom line. Even if that is true, I can make a strong case that in general, the probability that a cyber adversary will materially impact any specific business, university, or government organization is pretty small compared to other business risks. The probability is absolutely higher for some organizations for sure. Right now, I wouldn't want to be a small town or a hospital of any size because the ransomware criminals seem to know where to find you. In general though, the probability of material impact by a cyberattack for most organizations isn’t any greater than a hundred other risks that the senior leadership needs to weigh. If that is the case, why does a board director need a CISO on the executive staff? Why can’t one of the other corporate officers handle it, like the CFO, the CLO, the CTO, or the CIO? Indeed, that is what most organizations do. The board directors may advise the corporate officers to hire CISOs, but they are perfectly fine letting the network defenders work for an existing corporate officer.
I don’t have any proof that these two theories are true. From my observations bumping around the industry these past two decades, I haven’t seen any conflicting evidence that would contradict them. But this is all conjecture on my part. The truth is that the reason CISOs are just employees and not corporate officers is probably a combination of both theories, plus three or four other factors of which I am unaware.
What that means is that, in today’s business world, CISOs generally work for three kinds of bosses:
- The CIO (most cases)
- Some other CxO as a peer to the CIO (some cases)
- The CEO (rare cases)
In all three cases, I have seen the structure work very well in some instances and be a complete train wreck in others. It all depends on the culture of the company, leadership style of the corporate officers, and the working relationship between the CIO and the CISO. There is no one best case here. My advice to newly minted CISOs in brand-new corporate gigs is to work with whatever situation you have. The chances that you are going to change the situation while you are there are small.
My preference is to have the CIO and the CISO work for the CEO as peers – as corporate officers – alongside the other CxOs in the organization, but those kinds of gigs are rare. They are also unlikely to become less rare in the future.
The bottom line is that there is no one right situation. If you have preference for one over the others, then either pass on the job if the situation isn’t right for you or just learn to live with it. With the right culture and leadership in place, you can get a lot done as a CISO. It is highly rewarding work. Just understand where you fit in the hierarchy going in, and you will have a lot less stress.
“CIO Hall of Fame: Max D. Hopper,” by Richard Pastore, CIO, 15 September 1997.
“Concept of the Corporation,” by Peter F. Drucker, published Routledge, 1946.
“Durant Versus Sloan – Part 1,” by steve blank, 1 October 2009.
“EVOLUTION OF THE CISO,” by Thomas Borton, ISACA Conference, 13 March 2014.
“Max Hopper: Modernized information technology at American Airlines,” by Trading Markets, 28 Jan 2010.
“My Years with General Motors,” by Alfred P. Sloan Jr., published by Crown Business, 1964.
“The Emergence of the CIO,” by IBM.
“Title tips: Officer titles and their meanings,” by Chelan David, Smart Business, 3 March 2016.