Beyond the functional distinctions we analysed in our reporting line article (CISO as a Figurehead / CISO as a Fire Fighter / CISO as a Change Agent), we need to consider the positioning of the role in the “three lines of defence” model in more depth.
Our analysis of the best reporting lines for the CISO can be read and would function well in a first or second line positioning for the role. We have expanded upon this in a separate article, focused on GRC and making it work for InfoSec, in which we highlighted a functional model for Information Security to be effective and efficient in a proper second line position.
However, these reflections assumed a reasonably pure application of the concepts and a clear and traditional demarcation between first and second lines. In practice, this is rarely the case. The “three lines of defence” model is often poorly understood and poorly applied, leading to a variety of (more or less dysfunctional) hybrid models.
Judging by social media and broader online engagements, most people holding a CISO job title seem to be in a first line position, in charge of delivering technical protective measures across the IT estate. They have a strong interest in technical security matters, breaches and products.
But the reality is that the role of the CISO has been evolving organically and tactically for many years.
Many CISOs have been forced to develop risk management and compliance reporting capabilities, which should normally sit in second line. This is often driven by the immaturity, irrelevance or lack of interest of the corporate Risk and Compliance functions around them. In a number of cases, this move was prompted or encouraged by auditors or regulators. This is common in many financial firms where Risk and Compliance have been well established corporate practices for decades, but have only just woken up to Information and Cyber risk fairly recently – and are often struggling to articulate a meaningful message in that space.
In a different type of hybrid scenario, some of the few CISOs who seem to be positioned in the second line might have been forced to take on board “first line” operational duties because they were seen as the most able to deliver those successfully.
At the same time, the CISO is almost always a technologist by background – but not always a successful one. We have highlighted many times in previous articles that IT professionals are trained and incentivised to deliver functionality, not controls – and as a result, IT Security is rarely a path to the top.
Information Risk and Compliance practices developed by first line CISOs in a “bottom-up” manner are rarely comprehensive, and often poorly connected to other Risk and Compliance activities taking place across the organisation. Operational activities delivered by second line CISOs are often seen as inefficient and expensive, as many service management activities and technology platforms are often duplicated.
This is generally a symptom of broader governance problems and it is not rare to encounter large organisations where various overlapping functions, such as Information Security, Data Management and Data Protection, co-exist under different reporting lines – with little coherent coordination between them.
This is an environment where many CISOs struggle, burdened with a legacy position and legacy organisational arrangements which do not suit the needs of today’s enterprise.
Most surveys indicate that a majority of CISOs report to the CIO. We have stated repeatedly that it is not necessarily a problem, and that the reporting line should be determined on the basis of functional objectives instead of being driven by arbitrary separation of duties considerations. Those often create unnecessary barriers, fuel internal politics and prevent progress.
At the same time, the role of the CIO has changed and will continue to evolve over the short to mid-term. This is simply driven by the fast-paced evolution of technology over the past 10 years:
The CIO has to learn to deal with new stakeholders internally and externally and needs to become more of an influencer and less of a technologist. The CIO also has to learn to be less “in control” of IT and needs to develop a more structured attitude towards risk, in particular with regards to third-parties.
Large organisations are not all at the same degree of maturity in relation to these concepts, but failure to grasp the depth of such transformational challenges may confine the CIO to the management of legacy IT while the CDO role takes centre stage.
A structured InfoSec practice can be a key ally for the CIO, but the Board must reward protection to attract and retain talent
In such context, a strong Information Security practice can be a key asset for the CIO. However, a strong practice must have a clear sense of purpose and a visible backbone upon which the CIO can rely to keep a grip on a changing IT world.
In practice, the CIO must not allow separation to be blurred between first and second lines, and should structure the organisation accordingly.
Enforcing a degree of separation between risk management and controls enforcement within the CIO’s organisation could lead to the emergence of 3 distinct functional activities:
The “Information Risk Management” function should report to the CIO and interface with all non-IT stakeholders, internally and externally, as necessary (Risk, Compliance, internal and external Audit, regulators etc). The other two functions could be structured at a CIO-1 level (possibly under the CTO or the Head of IT Infrastructure, where such roles exist) and would interface with all IT stakeholders as required.
What happens to the CISO tag in such context? It continues to imply a degree of seniority in the role and, if kept in this type of model, should be applied to the “Information Risk Management” function – which is the most complex from a corporate perspective, and has the broader managerial remit.
This is leading us to suggest an alternative organisational model for large corporates to structure InfoSec in the portfolio of the CIO – updating the previous model published in April 2015 (itself the result of earlier research work, going back to 2012).
Moving towards the type of model highlighted here could imply splitting legacy CISO roles, and developing a different and more structured target operating model around Information Security.
It would, invariably, involve some form of redistribution of personnel, and skill sets may have to be reviewed and adjusted. In some cases, it may highlight a critical need to invest more in resources to cover areas where little had been done up to now.
The CIO and the Board should consider this a major step towards building a resilient IT practice in the face of virulent cyber threats – rather than continuing to pour resources, on an ad-hoc basis, into arbitrary technical projects.
The argument that this type of model could lead to a “conflict of interests” for the CIO needs to be handled with common sense (in particular in large organisations) and it is key to look beyond simplistic positions. A sound and comprehensive operating model is key to driving change, if that’s what is required around Information Security. Arbitrary separations often fuel internal politics and can create unnecessary conflicts.
In past articles, we have queried the control-mindedness of CIOs and implied that it was a major prerequisite for the Board to consider placing Information Security in the CIO’s portfolio.
The events of the past few years and the emergence of unprecedented media and political interest around cyber security, as a result of major cyber breaches, make it hard to imagine that any CIO in any large organisation would not take such threats seriously.
Beyond the control-mindedness of the CIO, what matters most today is the way the CIO addresses cyber security priorities – and this is something on which the Board can have a direct influence.
The Board should take an active interest in cyber security matters and drive real action in that space, but it can only work in real life if it translates into real incentives for real people.
CIOs have always been incentivised on cost control and the timely delivery of functionality. It is time for the Board to incentivise CIOs also on the delivery of security controls and the actual protection of the organisation from cyber threats.
These incentives should cascade down to attract and retain talent. Only attracting talent, retaining it over the right timeframes, and applying it at the right level across a structured InfoSec organisation will drive more comprehensive and structured protective operating models – and disrupt the mediocrity dynamics around Information Security, to create the conditions of a true security transformation.
All rights reserved 2023