Home / Resources / ISACA Journal / Issues / 2023 / Volume 5 / Improving Information Security Through Organizational Change

Improving Information Security Through Organizational Change

Author: Scott Rosenmeier, CISA, CRISC, CISM, CGEIT, CDPSE, CCSP, CIPP/E, CISSP-ISSAP, CISSP-ISSSMP
Date Published: 25 October 2023

Saying that the world has a cybercrime problem is an understatement. According to a global organization specializing in cloud-based email security, cybercrime is soon expected to cost the world US$8 trillion.1 If cybercrime were a country, it would have the third-largest gross domestic product (GDP) in the world, exceeding that of every country except China and the United States.2 To mitigate this threat, it is estimated that the world collectively spent approximately US$150 billion in 2021.3 In other words, the world is spending slightly less than two percent of the cost it incurs due to cybercrime to protect itself against cybercriminals. To help put these figures into perspective, the World Food Program USA estimates that world hunger could be eradicated by 2030 if a mere US$40 billion yearly were spent to tackle the problem.4

To effectively combat cybercrime, CISOs must report to the highest level of the organizations they serve to ensure they are heard and their message is taken seriously by all stakeholders.

Cybercrime is a serious problem that impacts everyone who uses a computer. A vulnerability in one organization can result in hundreds of other organizations being attacked. A successful attack can result in the personal information of millions of individuals being stolen. The chief information security officer (CISO) stands between cybercriminals and the organizations they protect. Currently, many CISOs find themselves reporting to the chief information officer (CIO) or lower within the IT structure. This needs to be revised. Critical security projects and the addition of resources for IT projects are often not approved, and CISOs struggle to be heard. Implementing a comprehensive information security management system (ISMS) out of the IT department is, at best, a significant challenge, and the attempt to do so leaves many CISOs frustrated and looking for employment elsewhere. To effectively combat cybercrime, CISOs must report to the highest level of the organizations they serve to ensure they are heard and their message is taken seriously by all stakeholders.

Introducing the CISO

Organizations require a dedicated officer to coordinate and manage the information security function.5 Enter the CISO. To be effective, organizations need a CISO who has an independent personality, someone who is willing to tell the organizational leadership the truth regardless of the personal consequences, and, when all else fails, someone who can say, “I did my best” and walk away.6 The role of the CISO can be compared to a combination of the punishments given to Sisyphus and Cassandra. Sisyphus, punished by Hades for cheating death, was forced to roll a stone up a hill for all eternity, as every time he neared his goal, it would return to its starting position.7 Sisyphus’s punishment is comparable to the difficulty CISOs encounter when implementing security controls. Time and again, a careless user renders the best security controls useless. Alternatively, Cassandra was given the gift of correctly prophesying the future, but she was cursed by Apollo never to be believed.8 Cassandra’s plight is comparable to a CISO discussing risk management with both IT and business leaders, who are likely more concerned with keeping the lights on and making a profit than they are with the security of their activities.

As important as hard skills are, it is soft skills that are likely to determine a CISO’s overall success in implementing a security strategy.

Regardless of the type of organization, the CISO is likely be seen as someone who slows the business,9 adds bureaucracy to IT processes, constantly predicts doom and gloom, and always asks for a bigger budget. Of course, almost every stereotype contains a grain of truth, but the critical role technology plays in business today—securing the information processed by IT systems—is imperative to the organization’s competitiveness and long-term survival.10 Researchers argue that one of the biggest mistakes made by information security professionals is not realizing security is a business issue rather than a technological issue.11 This argument is further underscored by the fact that:

Cybersecurity has expanded well beyond the confines of IT and has emerged as a concern at the highest enterprise level. It is now clear to see the potentially devastating effects on shareholder value, market share, reputation, and even long-term survival. Cybersecurity is an issue that crosses all organizational silos and boundaries, top to bottom, encompassing people, culture, and risk management and must bridge security, technology, privacy, and compliance.12

As one can see, the job of a CISO is daunting at best. Many CISOs know that if their organization is breached, they are likely to become the sacrificial lamb. Ironically, CISOs who have successfully navigated significant breaches, even if sacrificed in favor of political expediency, may find their value to other organizations has increased. This increase in value is because when they are inevitably breached, organizations prefer to have a captain at the helm who has already sailed through troubled waters.

At this point, one might ask, what kind of person would want to be a CISO? What kind of personal qualities must individuals have if they are willing to risk being regularly ignored when they point out security issues, only to be punished when an avoidable breach comes to pass? CISOs should possess determination, drive, a sense of humor, honesty, accountability, humility, flexibility and thick skin.13

Hard Skills a CISO Must Possess
As with any profession, determination to succeed only gets a CISO so far. A wide range of complex and proven skills are required to ensure that the CISO’s organization is adequately prepared to defend itself against inevitable cyberattacks. Unfortunately, due to the high demand for CISOs, enterprises are likely hiring some who are learning on the job. But putting an unqualified CISO in charge of organizational security is a recipe for disaster.

To be successful, CISOs must have, at a minimum, several hard skills. Perhaps the most crucial skill every CISO should have, although it is an area where many struggle, is the ability “to articulate IT security and privacy technical issues in a non-threatening and clear/actionable manner to nontechnical leadership.”14 In addition, CISOs must have good problem-solving skills that can be used to prevent, detect and mitigate security threats15 and understand the organization for which they work to develop the long-term strategies required to keep it secure.16

Technology changes overnight, and new attack vectors make it critical for the CISO to quickly learn what is new in the environment and unlearn what is no longer relevant.17 Based on strategy, a CISO must be able to develop and implement an actionable plan that makes the most effective and efficient use of available resources.18

Soft Skills a CISO Must Possess
As important as hard skills are, it is soft skills that are likely to determine a CISO’s overall success in implementing a security strategy. Although a technical education is necessary for CISOs, they must also be proficient in nontechnical skills such as collaboration, communication, management, and organizational and policy alignment.19

Given the importance of the CISO’s role and the extreme sensitivity of the data processed by the information security function, the most critical soft skill a CISO should have is the ability to ethically resolve situations.20 Eventually, most CISOs are faced with the choice of giving in to the demands of senior managers or standing their ground and refusing to provide collected data without proper authorization. In some cases, this refusal may result in a CISO being terminated, but this is a risk every CISO must be prepared to take.

Communicating clearly and directly is another essential soft skill every CISO must possess. CISOs must be able to communicate strategies to motivate and influence relevant stakeholders toward a shared vision of information security.21 Regardless of whether a CISO leads a large international team or is a lone wolf trying to implement security with limited resources, the ability to motivate, inspire, influence, persuade, collaborate, communicate, negotiate and champion a cause requires daily effort to overcome employees’ resistance to change and to resolve the many conflicts the CISO will face.22

CISOs are responsible for training staff and implementing tools that allow their organizations to identify internal and external threats.

Analytical and critical thinking skills are also crucial for a CISO.23 These come into play when the CISO is required to review a developing situation and determine the necessary level of escalation. CISOs who escalate too frequently may earn a reputation comparable to the fictional character Chicken Little, who was hit on the head with an acorn and ran around the farm screaming that the sky was falling.24 Conversely, CISOs who do not escalate appropriately will likely find themselves being held accountable for a successful cyberattack and could lose their jobs.

In addition, project management skills, which are not always included on the various lists of skills a CISO should possess, prove critical when a CISO attempts to implement new security solutions such as multifactor authentication (MFA), data classification, or data retention, all of which require significant effort from all levels of the organization.

Despite all the soft skills that enterprise leaders expect their CISOs to possess, there is one skill that is optional: courtesy.25 Organizations may not always willingly accept the limitations security controls place on them. At some point, someone, most likely the CISO, must tell staff that is the way it is.

CISO Responsibilities
As mentioned, a CISO has a wide range of responsibilities.26 The four areas of responsibility include:

  1. Protect, shield, defend and prevent—A CISO must ensure that the organization has implemented the proper controls to prevent a cyberbreach to the fullest extent possible. This is the primary responsibility of the information security function.
  2. Monitor, hunt and detect—CISOs are responsible for training staff and implementing tools that allow their organizations to identify internal and external threats. This task is often tedious and requires excellent attention to detail. One might think that the advent of artificial intelligence (AI) would reduce the burden on the information security team, but unfortunately, the opposite is true. Cybercriminals are embracing the advantages of AI, which means that the information security team must also embrace AI to counter this new threat. This may require not only additional training for security teams, but also the retooling of monitoring systems.
  3. Respond, recover and sustain—Many of today’s cybersecurity leaders recognize (or soon will) that a breach is inevitable and, are already implementing plans to properly manage the violation, recover compromised IT systems, and keep the organization running while recovery is in progress. Preparing disaster recovery and business continuity plans may be considered a waste of time by organization and IT leadership; however, having these plans can mean the difference between an organization that successfully manages a cyberincident and an organization that no longer exists.
  4. Govern, manage, comply, educate and manage risk—The vast majority of the CISO’s daily work includes leading the information security department, creating and implementing policies to set the security guidelines employees are expected to follow, training employees, and performing these tasks in the context of organizational risk management. Providing security training has increased in importance as cybercriminals have discovered it is easier to deceive a person than to break through layered security controls. Unfortunately, the vulnerability of the very people whose data the security team is trying to protect will likely be the reason the data are ultimately compromised.

CISO Work Experience
In 2020, a study was conducted to identify the professional experience a CISO should possess.27 The information was gathered by reviewing candidate requirements posted on several hiring platforms, including Yahoo, Google, Monster and Indeed. Researchers identified several criteria:

  • Work experience—An applicant for a CISO position should possess an average of 10 years of experience in the IT security area, with approximately five years of security management and team administration experience.
  • Education—A CISO should have, at minimum, a master’s degree in IT security and multiple relevant certificates.
  • Other identified CISO skills and certifications—Although these do not a guarantee a CISO’s success, organizations may consider certifications such as the Certified Information Security Manager® (CISM®) or CISSP when initially sorting candidates and deciding who to interview. Therefore, those wishing to become a CISO are advised to obtain one or more internationally recognized security certifications. Specific certification qualifications may be required depending on the employer.

The requirements listed in job postings are sometimes written by nonsecurity recruiters and may not accurately mirror the adequate work experience of a CISO. In addition to the experience mentioned, CISO hiring managers should consider:

  • Experience in various IT support functions, to understand how the pieces fit together
  • Experience managing incidents, though not necessarily cyberincidents, because major IT incidents often place individuals under the same level of stress and require the same coordination skills
  • The requisite skills to ensure that allocation of funds can be adequately justified, are used as planned and are fully accounted for
  • The skills needed to develop and deliver presentations that attract and hold the audience’s attention (Professional training may be required.)
  • Excellent writing skills, including the ability to write a whitepaper, for example.

Reporting Structure

In the past, it was common for the CISO to report to the chief information officer (CIO) and for information security to be perceived as an IT responsibility. However, the reporting line for CISOs is slowly transitioning from reporting to the CIO or potentially a level below the CIO to reporting directly to the chief executive officer (CEO).28 This transition has two primary drivers: the fact that information security has become a business-level concern; and that there is a need to avoid potential conflicting priorities that may arise when security reports to IT.29

In 2016, it was reported that both information security scholars and professionals called for the CISO to report directly to the CEO or the board of directors (BoD). Researchers built on this in 2017, stating that the CISO should be seen as a “technologist, guardian, strategist, and advisor” and should have a seat at the C-suite table.30 Ultimately, the CEO and BoD are accountable for breaches and, in more than one case, have been asked to tender their resignations or were outright terminated.31 However, enterprises must prepare for real organizational change to improve security and should wait until they are ready before adding a CISO to the executive team.32

The information security department, led by the CISO, should be seen as a strategic resource.

Benefits of CEO–CISO Reporting
In addition to avoiding the potential adverse effects of a misaligned reporting structure, having a CISO report to senior management helps ensure that security and business strategies are aligned.33 By implementing a CEO–CISO reporting structure, organizations demonstrate to their business partners and investors that they take information security seriously. The goodwill this generates may be leveraged to increase revenue by attracting new customers or reducing the costs associated with cyberinsurance.

Executives wishing to enjoy the benefits a CISO can provide should ensure the CISO is in a position and has the resources required to secure the organization.34 The information security department, led by the CISO, should be seen as a strategic resource. A clear reporting line between the CEO, CISO and other executive team members should improve the alignment between business and security strategy. Moreover, the CEO–CISO reporting structure should reduce information asymmetry and minimize the communication gap between the information security function and executive leadership.35

Conflicts of Interest
Although there is no guarantee that the CEO–CISO reporting structure will yield all expected benefits, it will, at the very least, resolve the inherent conflict of interest when the information security function reports to the IT function. Having the CISO report to the CIO may result in security flaws not being reported to the executive team36 because the CIO may be tempted to instruct the CISO to withhold or modify information that would cast the IT function in general—and the CIO specifically—in a bad light.

Funding is another unavoidable source of conflict when the CISO reports to the CIO. If the security budget is part of the overall IT budget, security budgets may be reduced and projects canceled in favor of IT initiatives.37 As a strategic function, information security should not have to compete for funding with the IT department at the tactical level. Instead, the budgets for IT and information security should be reviewed and approved at the strategic level of the organization.

Another area the CISO often needs help with when reporting to IT is securing IT resources for security initiatives. The primary function of IT is to keep the lights on. Once this has been achieved, IT personnel can prioritize business initiatives from other departments. If the information security team reports to the IT department, it may be seen as an IT resource intended to support different organizational entities’ initiatives rather than an entity requiring IT support in its own right. However, some researchers disagree on this point, stating that there are advantages to the CIO–CISO reporting structure, such as a “deep integration into the IT organization,” which may make it easier for the information security function to accomplish its tasks because it is not viewed as an outsider.38

Regulatory Review

Stronger regulatory action will be required to ensure CISOs report correctly within their respective organizations. Without legal pressure to do so, organizations will likely continue to do what they have always done, and many CISOs will spend their careers reporting to the CIO (or lower) in the IT department. Several regulations that already exist are a good starting point, but there is still significant room for improvement.

As a strategic function, information security should not have to compete for funding with the IT department at the tactical level.

Circular 10/2017 (BA)
The German Federal Supervisory Authority (BaFin) is the government agency responsible for regulating financial institutions. The BaFin regulates banks, insurance companies, and the trading of securities. The BaFin regularly publishes guidance in the form of circulars. Circular 10/2017 (BA): Supervisory Requirements for IT in Financial Institutions, addresses the issue of CISO independence, stating that:

The management board shall establish an information security officer function. This function is responsible for all information security issues concerning the institution and third parties. It ensures that information security objectives and measures defined in the institution’s IT strategy, information security policy, and information security guidelines are transparent both within the institution and for third parties and that compliance with them is reviewed and monitored regularly and on an event-driven basis.39

Moreover, Circular 10/2017 (BA) provides explicit requirements regarding the reporting lines of the security function, stating that “in terms of organization and processes, the information security officer function shall be independent to avoid any potential conflicts of interest.”40

Common potential conflicts of interest include refusing to reveal the names of individuals identified in monitoring or security testing to superiors, and reporting the facts about a security incident that reflect negatively on a superior to senior management. Issues arising from these conflicts of interest can be avoided by implementing BaFin guidelines, such as:

  • A description of the function and duties of the information security officer, their deputy and, if necessary, other organizational units should be defined.
  • The information security officer should be able to report directly and at any time to the management board.
  • The information security officer function should be independent of those areas that are responsible for the operation and further development of IT systems.
  • The information security officer may on no account be involved in internal audit activities.”41
Although there is a general trend of the CISO reporting outside of IT, it is slow moving, especially outside of the financial sector.

Unfortunately, Circular 10/2017 (BA) only applies to organizations under BaFin’s control. This means that these requirements do not impact most German enterprises. However, they could likely benefit from implementing them.

23 NYCRR
Although the 2017 US State of New York Department of Financial Services (NYDFS) Cybersecurity Regulation 23 NYCRR Part 500 (NYCRR)42 does not require the CISO to report to the CEO, it does require the CISO to report to the BoD at least annually and to have adequate independence and authority to ensure that cyberrisk is being appropriately managed.43 Moreover, 23 NYCRR Part 500 specifies that “the board of covered entities will be required to have sufficient expertise and knowledge (or be advised by persons with sufficient knowledge and expertise) to exercise effective oversight of cyberrisk” and that “the annual certification of compliance must be signed by the CEO and the CISO (rather than by a Senior Officer).”44

This regulation is a step in the right direction. Unfortunately, it only applies to financial institutions in the State of New York. Beyond 23 NYCRR, several US states have implemented data privacy legislation, which could ultimately drive the need for additional cybersecurity legislation.

GDPR
Although the EU General Data Protection Regulation (GDPR) is a data privacy regulation, it is generally understood that there can be no data privacy without information security. As such, it is worth looking at GDPR requirements for data protection officers (DPOs) and potentially using them as a starting point when discussing the CISO reporting structure:

  • Article 37 of GDPR states that “the data protection officer shall be designated based on professional qualities and, in particular, expert knowledge of data protection law and practices.”45
  • Article 38.3 states that the DPO “shall not be dismissed or penalized by the controller or the processor for performing his tasks,” and “shall directly report to the highest management level of the controller or the processor.”46

Legal protection from being fired for doing one’s job and requiring the DPO to report to the highest levels of management helps ensure successful performance of the DPO role. The same protections should be afforded to CISOs so they no longer have to choose between speaking the truth and potentially being fired or remaining quiet and hoping for the best.

Conclusion

For far too long, the CIO–CISO reporting structure has hindered improvements in organizations, and it is time for executives to help resolve the issue. Although there is a general trend of the CISO reporting outside of IT, it is slow moving, especially outside of the financial sector. This structure has undoubtedly resulted in countless otherwise preventable breaches in organizations. The bottom line is that if organizations are not willing to put the CISO in a position to implement and enforce organizational changes, they might as well save the money they are spending on their information security initiatives and use it to pay for the executives’ golden parachutes after an inevitable breach happens.

Endnotes

1 Mimecast, Cyber Risk Commands the C-Suite’s Focus: The State of Email Security 2023, United Kingdom, 2023, https://www.mimecast.com/resources/ebooks/the-state-of-email-security-2023/
2 Ibid.
3 Bharath, A.; J. Caso; P. Russell; M. Sorel; “New Survey Reveals a $2 Trillion Market Opportunity for Cybersecurity Technology and Service Providers,” McKinsey and Company, 27 October 2022, https://www.mckinsey.com/capabilities/risk-and-resilience/our-insights/cybersecurity/new-survey-reveals-2-trillion-dollar-market-opportunity-for-cybersecurity-technology-and-service-providers
4 World Food Program USA, “How Much Would It Cost to End World Hunger?” 10 August 2022, https://www.wfpusa.org/articles/how-much-would-it-cost-to-end-world-hunger/
5 Allen, J. H. et al.; Structuring the Chief Information Security Officer Organization, Software Engineering Institute, Carnegie Mellon University, Pittsburgh, Pennsylvania, USA, 6 October 2015, https://resources.sei.cmu.edu/asset_files/technicalnote/2015_004_001_446198.pdf
6 Shayo, C.; F. Lin; “An Exploration of the Evolving Reporting Organizational Structure for the Chief Information Security Officer (CISO) Function,” Journal of Computer Science and Information Technology, vol. 7, iss. 1, June 2019, https://jcsitnet.com/vol-7-no-1-june-2019-abstract-1-jcsit
7 The Editors of Encyclopedia Britannica, “Sisyphus,” Encyclopedia Britannica, 6 January 2023, https://www.britannica.com/topic/Sisyphus
8 The Editors of Encyclopedia Britannica, “Cassandra,” Encyclopedia Britannica, 19 May 2023, https://www.britannica.com/topic/Cassandra-Greek-mythology
9 Raths, D.; “Chief Information Security Officers: Moving Away From IT,” Campus Technology Magazine, vol. 1, 2016, p. 6–8, https://campustechnology.com/articles/2016/09/08/chief-information-security-officers-moving-away-from-it.aspx
10 Whitten, D.; “The Chief Information Security Officer: An Analysis of the Skills Required for Success,” Journal of Computer Information Systems, vol. 48, iss. 3, 2008, p. 15–19, https://www.tandfonline.com/doi/abs/10.1080/08874417.2008.11646017
11 Maynard, S.; M. Onibere; A. Ahmad; “Defining the Strategic Role of the Chief Information Security Officer,” Pacific Asia Journal of the Association for Information Systems, vol. 10, iss. 3, 2018, https://aisel.aisnet.org/pajais/vol10/iss3/3
12 Reilly, M.; A. Alexander; J. Cummings; “The Rise of the Chief Information Security Officer,” People and Strategy, vol. 39, 2016, p. 10–13, https://www.shrm.org/executive/resources/people-strategy-journal/winter2016/pages/chief-security-info-officer.aspx
13 Conklin, W. A.; G. White; “E-Government and Cyber Security: The Role of Cyber Security Exercises,” System Sciences, vol. 4, 2006, p. 16, https://doi.org/10.1109/HICSS.2006.133
14 Ibid.
15 Op cit Whitten
16 Ibid.
17 Op cit Maynard et al.
18 Ibid.
19 Goodyear, M.; S. Portillo; H. T. Goerdel; L. Williams; Cybersecurity Management in the States: The Emerging Role of Chief Information, IBM Center for the Business of Government, USA, 2010, https://www.businessofgovernment.org/sites/default/files/CybersecurityManagement_0.pdf
20 Op cit Whitten
21 Op cit Maynard et al.
22 Ibid.
23 (ISC)2, Nine Traits You Need to Succeed as a Cybersecurity Leader, USA, 2020, https://cloud.connect.isc2.org/qualified-cybersecurity-professional
24 Dindal, M.; Chicken Little, Buena Vista Pictures, Burbank, California, USA, 2005
25 Smit, R. et al.; “The Soft Skills Business Demands of the Chief Information Security Officer,” Journal of International Technology and Information Management, vol. 30, 2021, p. 41–61, https://doi.org/10.58729/1941-6679.1522
26 Op cit Allen et al.
27 Klappers, W. M.; N. Harrell; “From Degree to Chief Information Security Officer (CISO): A Framework for Consideration,” Journal of Applied Business and Economics, vol. 22, iss. 11, 2020, https://commons.erau.edu/cgi/viewcontent.cgi?article=2716&context=publication
28 Karanja, E.; M. Rosso; “The Chief Information Security Officer: An Exploratory Study,” Journal of International Technology and Information Management, vol. 26, iss. 2, 2017, p. 23–47, https://scholarworks.lib.csusb.edu/cgi/viewcontent.cgi?article=1299&context=jitim
29 Ibid.
30 Op cit Shayo et al.
31 Ibid.
32 Ibid.
33 Karanja, E.; “The Role of the Chief Information Security Officer in the Management of IT Security,” Information and Computer Security, vol. 25, iss. 3, 2017, p. 300–329, https://doi.org/10.1108/ICS-02-2016-0013
34 Lanz, J.; “The Chief Information Security Officer: The New CFO of Information Security,” The CPA Journal, vol. 87, iss. 6, 2017, p. 5–57, https://www.cpajournal.com/2017/06/23/chief-information-security-officer
35 Von Solmes, B.; R. Von Solmes; “The 10 Deadly Sins of Information Security Management,” Computers and Security, vol. 23, iss. 5, 2004, p. 371–376, https://doi.org/10.1016/j.cose.2004.05.002
36 Op cit Karanja
37 Ibid.
38 Op cit Shayo et al.
39 BaFin, Circular 10/2017 (BA): Supervisory Requirements for IT in Financial Institutions, Germany, 3 December 2021, https://www.bafin.de/dok/10445406
40 Ibid.
41 Ibid.
42 US State of New York, “Cybersecurity Resource Center,” https://www.dfs.ny.gov/industry_guidance/cybersecurity
43 Dembosky, L. et al. “NYDFS Proposes Significant Changes to Its Cybersecurity Rules,” Debevoise and Plimpton LLP, 1 August 2022, https://www.debevoise.com/insights/publications/2022/08/nydfs-proposes-significant-changes
44 Ibid.
45 GDPR.EU, “Complete Guide to GDPR Compliance,” https://gdpr.eu
46 Ibid.

SCOTT ROSENMEIER | CISA, CRISC, CISM, CGEIT, CDPSE, CCSP, CIPP/E, CISSP-ISSAP, CISSP-ISSSMP

Is chief information security officer at Rödl and Partner and is working on a doctorate of business administration. He also has 12 years of experience in military intelligence in the US Army and has held senior information security positions at three global organizations.