A hammer is a valuable tool—but, not if you’re trying to cut down a tree. In the same way, your cybersecurity team is an asset to your company’s success, but it’s most effective when used correctly.
When trying to determine if you’re effectively using your security team—and consequently, if your CISO reporting structure is appropriate—you must first ask this question: What do we want our cybersecurity team to provide to the company? Your answer to that determines everything that comes next.
Traditionally, cybersecurity teams follow one of two basic modes of operation:
In this function, the cybersecurity team is separate from the company’s IT team. The CISO reports to the CLO or Chief Compliance Official. The benefit of this structure is that it allows segregation of duties between the IT team—who often handles day-to-day technical operations—and the cybersecurity team—whose time is better spent addressing security and compliance challenges.
This model works best for organizations that are process-centric (i.e. the company has implemented formal processes for most business operations and does not have to spend much time solving problems “on-the-fly”). For this model to work most effectively, “oversight” must be defined very clearly.
How will the security team oversee company processes?
What exactly will be done?
What specific activities are involved in the oversight process?
2. Operations + Oversight
In this structure, the cybersecurity team is responsible for both the oversight of the company’s security program, as well as some of its day-to-day IT operations. This model works best for organizations who are not necessarily process-centric and find themselves “putting out fires,” because it allows for rapid, integrated response when necessary.
The benefit of this model is that it allows the cybersecurity team to work directly with the IT team—a necessity in any organization. Beyond that, it allows organizations to mature to a more process-centric structure, from which the IT and cybersecurity teams can become segregated. One challenge with this structure is that day-to-day operations can consume the team’s security efforts. Instead of spending their time identifying and communicating risk and aligning strategic priorities, they can get stuck chasing helpdesk tickets.
The Third Method
While the two methods above have their place, the most advanced companies follow a Hybrid model, in which the cybersecurity team is spread across three reporting categories.
1. Reports both to the IT Department and the cybersecurity team itself
2. Reports solely to the IT Department
3. Reports solely to the Oversight/Compliance/Etc. Department
What’s the benefit? This model creates three minor divisions within the cybersecurity team: one that provides oversight, one that handles operation, and another that performs both oversight and operations as needed. This allows the security team to be flexible and responsive to day-to-day operations when necessary, while maintaining a strong security and compliance posture. So, to whom your CISO reports depends on the structure of your security team, which depends on what you want that team to provide to your company.
As a Board of Directors, you should understand what model management has decided on and what cybersecurity is going to do for the company. With this knowledge, you can draw your own conclusions if security is reporting appropriately within your company.
This blog is the third in a series titled, “Cybersecurity in the Boardroom.” The purpose of this series is to shift boardroom conversations and considerations about cybersecurity so board members, company management, and information security personnel can work together to implement a more effective cybersecurity program.