A deceptively simple question this morning from a client about where the information security function should sit in the organization structure set me thinking as the first coffee of the day did its magic.
My first thought is that it all depends on the organization, the existing structure and power bases, the specific interests of the individual executive managers, the strategic directions, the corporate culture, other stakeholders and most of all ‘the business’.
So for, say, a financial services, defense, health or intellectual property company, information is such a critically important, valuable yet vulnerable corporate resource that risk and security deserves direct representation in the C-suite i.e. a Chief Information Security Officer or possibly Chief Security Officer. For other industries, it’s not so clear-cut.
I strongly favour the core term “information risk” since risk to and involving information (not just computer data!) is what drives our field. Information security (i.e. mitigating information risks using controls) is just one way to deal with information risk, and we should not neglect risk acceptance, risk sharing and risk avoidance, plus the ‘opportunity’ side of risk (deliberately taking chances where justified for business reasons), which puts a different spin on control and security. Therefore, I would argue ‘risk’ is our natural home, hence (to me) the Chief Risk Officer would be a more appropriate boss than, say, the Chief Information Officer, Chief Legal Officer or Chief Financial Officer.
A specific concern with reporting to the CLO is the tendency to emphasize compliance with legal and regulatory obligations, externally-imposed on the organization … rather than on doing what’s best for the organization and its business. Legal and regulatory compliance is a low hurdle, albeit a very solid one, painful to trip over.
A specific concern with reporting to the CIO is the tendency to emphasize IT, data and cyber. Those are important, of course, but there’s more to information risk. Even if IT security is locked down tight, other aspects (such as fraud and other forms of social engineering, and IPR) can still sink the business, often undermining or negating the cybersecurity controls. To me, the whole cyber movement is seriously unbalanced and misguided ... but that's just my feeling having been through the evolution from IT security to information security in the 90's and the ascendance of BS7799 then ISO27k. "Cyber" is a retrograde step ... whereas "information risk" moves things forward.
A specific concern with reporting to the CFO is the tendency to emphasize economics, or more specifically accountancy and ‘the books’. Costs and benefits which are not easily accounted for tend to be ignored. Valuing intellectual property is a particular problem here, along with the difficulties of justifying investments in risk management/reduction. As a fan of metrics, I definitely appreciate the idea of 'managing by the numbers' but that's not the same as ignoring anything without a firm dollar value.
Yet another possibility is a Chief Governance Officer – someone to take the lead on governance matters … although that function often falls to the Board of Directors and the Chairman/Chief Executive Officer (depending on structure) and collectively to the whole C-suite and so on down the management hierarchy.
And finally, there’s the issue of other related aspects such as HR/people, health and safety, business continuity and audit. Where should they fit-in? They are also relevant to information risk and security.
At the end of the day, “C*O” is just the label on the door, a tag on the business card and an allocated parking place for the limo. What really matters is vision, leadership, competence, passion/drive and teamwork … and in that sense Information [Risk and] Security Manager - or indeed Consultant - is as good a term as any! Even a layer or two down in the hierarchy, backed with relevant security metrics and your own passion and drive, you can get plenty of stuff done through persuasion and collaboration: it’s just easier and quicker if you’re the boss, or at least have the bosses' ears.