Istari

Where Should the CISO Report?

If a cyber attack can shut down operations, destroy business models or undermine competitive advantage, then it is not an operational risk – it is a strategic risk. Cyber attacks have shown that ultimate accountability to shareholders for such strategic risk resides with the board and CEO.

 

In response to the cyber attack on US retailer Target, for example, shareholders alleged that senior leaders and directors breached their fiduciary duties. They filed lawsuits against all board directors, the CEO, CFO and CIO, arguing that they showed reckless disregard for their duties, posing a risk of serious injury to the company.1 Five months after the attack, the CEO announced his resignation.

Does this suggest that the person responsible for cybersecurity should report directly to the CEO? In reality, this is rarely the case.

In 2019, 38 per cent of Fortune 500 companies did not even have a CISO.2 Of those that did, only 4 per cent listed the CISO on their leadership webpages – a sign that organisations continue to see the role of a CISO as largely technical rather than strategic, and subordinate to other IT-related positions. Many CISOs seem to be distant from the CEO. Although the CISO role is vital in protecting business value and defending against growing cyber threats, many companies continue to grapple with the most effective reporting structure. But there is no one-size-fits-all model.

 

Three Reporting Options

Although the models adopted vary by sector and geographic region, most organisations choose one of three options.3 In the traditional model, the CISO operates within the IT function and reports to the CIO. This technology- aligned approach seems a natural fit because securing an organisation’s IT is a cornerstone of cybersecurity policy. The downside, however, is that the CISO may become detached from business initiatives, which reinforces the perception that cybersecurity is an IT necessity rather than a business imperative. This model may also cause tension in resource allocation and speed of execution – CIOs tend to drive initiatives that accelerate digital transformation, whereas CISOs will want make sure this is done securely by design.

In the second model, the risk model, the CISO reports to the chief risk officer. Although this acknowledges that cyber risk is a business risk that can threaten an organisation’s survival, it may leave the CISO too detached from critical operational capabilities within IT.

Under the third model, the strategic model, the CISO reports directly to the chief executive officer. This gives the CISO high visibility within the business and elevates cybersecurity to the right strategic level. However, this means that the CEO and CISO have to align on a common language to avoid a disconnect between them.

There is no silver bullet

The Perfect Model Does Not Exist

 The perfect reporting model does not exist, because each model entails compromises. Although a well-crafted reporting structure is important in designing a resilient organisation, reporting is not, in and of itself, a silver bullet. So, what really matters?

Governance is the complementary but often overlooked aspect of designing cyber resilient organisations. It is the system by which companies are directed and controlled – the structure and processes for decision-making, accountability, control and behaviour at the top.

To enable a cyber resilient organisation, companies need to connect discussions on reporting structures with cybersecurity governance. If the correct governance is not in place, it won’t matter where the CISO reports. The cyber attack on Target is a classic case of governance failure. The attack exposed serious weaknesses in board- level governance. Astonishingly, it took about a month after the attack was initiated for its full effect to reach the CEO’s desk. Shareholders later accused Target’s audit and corporate responsibility committees of failing to recognise the potential threats to the company.4

 

Connecting Reporting Structures with Governance

In our experience, we see four key actions that executives can take to optimise their organisation’s design and governance:

  1. Incorporate new and more wide-ranging criteria in determining reporting structures
    Traditionally, companies have tended to determine their reporting  structures based on factors such as strategy, size and industry benchmarks. To find a suitable reporting line for their CISO, however, they should consider a much broader array of factors. These include a company’s cybersecurity maturity, stage of digital transformation, regulatory environment, risk appetite, IT architecture and the capabilities and leadership profile of CISOs themselves. Companies that only use traditional criteria risk ending up with a reporting model  that makes their organisation less resilient to cyber attacks.

  2. Frame cybersecurity risk as an enterprise risk
    Because cyber risk is often perceived as purely technical, mitigation gets delegated to the IT function. To mitigate cyber risk effectively, it needs to be treated as an enterprise risk and expressed in terms that everybody (including the board) can understand.  This means quantifying and  prioritising cyber risks based on the  potential damage to the business, highlighting points of vulnerability  in the business, setting out potential  cyber attack scenarios, and putting risks in the wider context of  geopolitical threats.
     
  3. Recognise that the board and CEO are accountable for cybersecurity
    Ultimate accountability resides with the board and CEO and not solely with the CISO – the attack on Target being a case in point. It often takes a debilitating cyber attack for CEOs and boards to recognise their accountability and to structure their organisation accordingly. As countries ramp up cybersecurity regulation, CEOs and boards will be held accountable not only by shareholders but also by regulators.5 
     
  4. Give the CISO a seat at the table 
    Irrespective of reporting lines, invite CISOs to board meetings when cybersecurity is on the agenda, ideally every quarter. The CISO can present to and increase the cyber literacy of the board. In a 2019 Harvard Business Review study, only 37 per cent of respondents said the CISO provided an annual cybersecurity strategy report and evaluation to the board.6

 

So, where does this leave us?

The unprecedented explosion of cyber attacks, seemingly destined to continue to rise, means that eventually almost every organisation will be put to the test. Under these circumstances, CEOs should maintain very close oversight of cybersecurity, if not a direct reporting line with the CISO.

Indeed, this is how governments structure their defences. When a country is under attack from a foreign adversary, the supreme command over the military usually resides with the head of state. Even in times of peace, the minister of defence reports to the head of state. Perhaps there is a lesson in this for the corporate world.

 

Access The Full PDF here

 

 

 

Sources

1. Kulla V Steinhafel, No 0:14-cv00203, complaint (D. Minn. filed Jan. 21, 2014), (https://storage.courtlistener. com/recap/gov.uscourts.mnd.136359/gov.uscourts. mnd.136359.1.0.pdf)

2. Bitglass (2020). The cloudfathers: An analysis of cybersecurity in the Fortune 500. https://pages.bitglass. com/rs/418-ZAL-815/images/Bitglass_TheCloudfa-thers_Fortune500.pdf

3. Scholtz, T. (2021). Determining whether the CISO should report outside of IT. Gartner (https://www.gartner.com/doc/4000571)

4. Sirinivasan, S. Paine, L., Goyal, N. (2019). Cyber breach at Target. Harvard Business School.

5. See, for example, Atkins, S., Luck, K. (2020) Enhanced Cybersecurity Regulation in Australia – What Directors Must do to Minimise Risks and Drive Business Growth. Oxford Law Blog (https://www.law.ox.ac.uk/business-law-blog/blog/2020/09/enhanced-cybersecurity-reg-ulation-australia-what-directors-must-do); Seah, S., Kao, J., Van Emmerik, E.G., Ng, N. (2019) Cybersecurity & Singapore: A balancing act  for executives and the board. TwoBirds (https://www.twobirds.com/~/media/pdfs/singapore-cybersecurity.pdf)

6. Pulse Survey (2019). Evolving the CISO role to make cybersecurity a competitive advantage. Harvard  Business Review (https://hbr.org/resources/pdfs/comm/pwc/Evolvingtheciso.pdf)

Lou Baran

Lou

Baran

Chief People Officer

Lou is Chief People Officer for ISTARI and her role encompasses the full remit of strategic and operational people matters. Lou is also Talent Adviser for our portfolio companies.

Prior to ISTARI, Lou has had 30 years of experience in HR, including 9 years as a management consultant. Prior companies include Hg Capital, Actis Capital, Thomson Reuters, Microsoft, Hay Management (now Korn Ferry) and Ashurst.

Over the course of her career, Lou has held a variety of roles in HR, both generalist and specialist and in a variety of organisational contexts, in particular restructurings and mergers and acquisitions. She has considerable international experience through global roles and also having worked in Asia for 9 years, Australia and the United Kingdom.

Lou holds a Bachelor of Business (major in Information Technology) from Victoria University, Australia.

Article Links

Where Should the CISO Report?
Abel Archundia

Abel

Archundia

MANAGING DIRECTOR, GLOBAL LIFE SCIENCES & INDUSTRIALS

Abel joined ISTARI in October 2020 as Managing Director, Life Sciences and Industrials. ISTARI is a Temasek platform company focused on helping the best companies in the world manage down digital risk.

At Bayer, Abel was head of IT and Digital Transformation for Bayer Pharma Division since 2017, and member of Bayer Group IT Board. Before joining Bayer, Abel was Global CIO, Sandoz, a Novartis Division (2012-17) as well as head of IT for Novartis Technical Operations (~85 plants) looking after manufacturing, supply chain and quality. He was a member of the Novartis IT Board.

Past positions include Cemex (CIO EMEA), Dell (General Manager, Mexico) and Boston Consulting Group (Principal, Monterrey and Dallas offices). He holds a degree in electronics engineering from Tec de Monterrey, Mexico, and an MBA and Public Management degree from Stanford Graduate School of Business.

Article Links

Where Should the CISO Report? Getting Cybersecurity Right for Manufacturing Keeping clinical trial data safe: Handling cybersecurity in a risky world