Where the chief information security officer sits within an organizational structure has been debated for years. The issue was presumably resolved when the “chief” was added to the title. This clearly moves an information security officer or security officer into the C-suite among other executives that report directly to the president and CEO of an organization and its board members. Moreover, once the Sarbanes-Oxley Act was passed mandating CISO independence for the financial sector under its “separation of duty” requirement, all third-party service providers to the financial sector should have followed suit. However, the intensity of information security briefings often leads to organizations tucking the CISO under the CIO instead. After all, all technology is related, right? This is a huge mistake, and it is wreaking havoc on American data security.
Law firms and vendors are breached so frequently that corporations have tried forcing them to have better security—especially since hacking into a law firm is an easier target and success results in a larger treasure trove than just breaching a single company—by requiring firms to complete security protocol spreadsheets covering anywhere from 100 to 1,200 controls/questions. However, spreadsheets of controls are hard to manage, even if an organization has an ISO 27001 or SOC 2 certification. Additionally, these certifications are only snapshots of security protocols and do not give insight into day-to-day risk management by the organization’s CISO. Corporations still cannot see the daily security posture of a law firm that houses their data. And breaches of law firms continue.
According to some estimates, by May 2020, 25% of American law firms had already been breached. The organizational deficiency of having the CISO report to the CIO, or having no CISO at all, is allowing the greatest American data security disaster in history. It is the weak link in security postures that opens the way for American ingenuity to go right out the door and into the hands of outside actors and foreign nation-states.
Let’s explore the key differences between the CIO and the CISO and why the CISO should never report to the CIO.
Roles
Chief information officers have the mission to acquire hardware and software, configure and implement solutions that move the organization forward and keep it all within budget. This is IT rather than security. If they can roll out new client-facing solutions on time and within budget, they are rock stars. Their job is to please the customer rather than to push hard truths in the C-suite.
Chief information security officers have a very different mission. Their job is to implement security protocols that both mitigate risk and allow the free movement of data – no easy task. They are often perceived to occupy the Office of No and Delay. Executives did not necessarily want to hear about intelligence community briefings that indicate governmental-backed hackers are at the back door waiting to obliterate their organizations. That is too much to grasp in a 30-minute briefing where the CEO may not be familiar with 20% of what the CISO is saying.
Separation of Duties
Congress, state legislatures, international regulators and industry certifications have tried to impose security requirements on select industries, as well as demanding a “separation of duty” between the CIO and the CISO. Sarbanes-Oxley spells this out for financial institutions (Pub.L. 107–204 (text) (pdf), 116 Stat. 745, enacted July 30, 2002). The NYDFS Cybersecurity Regulation (23 NYCRR 500), passed in 2017, requires a CISO for financial institutions and all covered entities – which encompass any third party holding financial data, including law firms. The NYDFS also requires that all financial institutions and their vendors have the CISO conduct an annual cyber audit and report its findings. Law firms that provide services to the financial sector must abide by the security requirements of the financial sector. The GDPR, CCPA, NYDFS, NIST Cybersecurity and Privacy Frameworks and new Virginia Consumer Data Protection Act are just the beginning of the regulations that require the expertise of information security professionals within organizations.
These burgeoning laws are trying to hold organizations responsible for the security of client data, but within corporate organizational structures CISOs are often not afforded the independence needed to make that happen, let alone the ability to control what a CIO does when their missions conflict.
There is no legal mandate for an organization to have a CIO. The security of an organization, however, is now a regulated, industry standard-driven operation. With cloud technology, the burden shifts from the CIO to the CISO. Meanwhile, more industry-related laws and regulations are coming. Having the CISO separate from the CIO is one way to manage the security requirements of the multitude of laws, regulations and industry standard security requirements to make an organization safe. However, beyond this central justification, there are several additional reasons why the CISO and CIO should be separated within organizations.
Acceptance of the Risk
The first and most crucial reason that the CISO should never report to the CIO is the veto power the senior officer would have through what is known as acceptance of risk. Every new piece of hardware or software comes with a certain amount of data security risk to an organization. Every new process or workflow creates inherent data security risks that need to be identified and mitigated. The CISO works with a team to identify those risks and then puts protocols in place to eliminate the risk. If the protocols rule a project out, slow a project down or make using the new technology difficult, the CIO can step in, sign a piece of paper and accept the risk of overriding the security protocol. It is effectively a veto. Since CIOs are not tasked with being security experts, they may not grasp the long-term impact of the risks they are thus allowing – each a potential back door into the organization. And CIOs often have hundreds of acceptance of risk documents. A CISO that reports to a CIO has almost no recourse if the acceptance of risk leaves an organization vulnerable. But when a breach occurs, the CISO is often terminated. There are often no checks and balances between IT and security, and worse than that, most American law firms still do not even have CISOs, just IT departments.
Operational Conflicts
There is an inherent conflict of interest between keeping a platform, system or application running (the job of a CIO) with keeping them safe (the job of a CISO). If the CIO determines that the most effective and efficient way to keep things running smoothly conflicts with security requirements, the CIO has a clear line to address those concerns with the top executives or accept the risk. A CISO that determines otherwise based on security objectives must also have access to the top executives to allow the decision-makers of the organization to see the entire picture. In many organizations this is just not happening: CIOs are instead assuming security risk assessments with an incomplete knowledge base. A system of checks and balances is clearly the better option, but the CISO cannot provide that balance while still reporting to the CIO.
Involving Other Executives
CISOs often need to make security-based assessments by collaborating with other executives like those in human resources, physical security, the general counsel’s office and compliance. These collaborations often have nothing to do with hardware and software but are frequently policy-based or regulatory in nature. Such cooperation works best when both actors are on the same level within the corporate hierarchy.
Identifying Malicious Insiders
Information security teams are charged with monitoring networks and malicious intruders. They are also charged with monitoring negligent and malicious insiders. When those insiders sit in sensitive positions, like the IT department, independence from the CIO is a must. Additionally, IT staff do not need to know the details of an investigation or the extent of malicious or negligent behavior by executives until the security data has been assessed and the analysis is complete, especially if those executives are in the CIO office.
Implementing Nontechnical Solutions
Furthermore, the mission of a CISO is not limited to information technology. CISOs must often solve problems without technology. For example, they must implement educational and awareness programs and review briefings from U.S. Intelligence Community agencies like Homeland Security and the FBI. Intelligence briefings often require that security staff have clearances equal to the information being provided. For example, classified information may only be provided to persons holding a top-secret clearance and cleared staff may not be able to share intelligence with the non-cleared IT professionals in an organization. Security briefings about potential threats often include both classified and declassified information. The CISO should be able to present necessary security strategy changes to top executives and apprise them of new security risks and a changing security landscape without having to go through an intermediary to simplify the process of dealing with classified information. If an organization does not have a cleared professional on the security team, they should get one.
Cybersecurity Training Special Needs
IT professionals and lawyers are often confused by the cost of training for security professionals, which is vastly more expensive than CLEs or IT courses. IT training is available in many formats and from many sources. Although IT training is not as inexpensive as continuing legal education credits, it is miles cheaper than information security training. If you want to see sticker shock, submit the security team’s training budget for a year to an organization that has never had one before. A yearly Black Hat conference attendee pays nearly $3,000 not including room, board and travel. A single SANS course (SysAdmin, Audit, Network and Security) is between $7,000 and $8,000 per class and another $700-900 for the examination. Unlike other professional fields, IS professionals must continue to get appropriate training to monitor evolving threats and maintain professional certifications. Organizations have to invest in training. This leads to the last reason why a CISO should be separate from a CIO: budget.
Separation of the CISO’s Budget
In order to ensure that information security is robust, the CISO must have money to spend without being compared to the IT budget. Training costs alone create divisions in a department where the entire security team must spend thousands of dollars each on a single course and then all head off to the yearly Black Hat conference. CIOs often feel that these expenses are overblown and begin to whittle security training down. This is a mistake. The information the security community shares on evolving threats and solutions in team settings is invaluable to organizations.
And within the field the ever-evolving threats require new solutions and strategies immediately. A CISO needs a budget that is flexible and allows for changes to adequately defend an organization. Having special teams for information assurance, insider threats, network monitoring, etc., calls for specialized budgets, incentives and adaptability. It is difficult to weigh that against IT requirements.
Many arguments have been made for a separation of the CIO and CISO over the past decade. The more we learn as the position matures, the clearer this becomes. It is time for law firms and vendors to move CISOs out from under CIOs and take security seriously. American data security is under attack from foreign operatives seeking to benefit from the ingenuity and brilliance that makes American companies the most innovative in the world and hackers who want to sell your clients’ data to the highest bidder. If your organization does not have a CISO, either hire one or outsource the responsibilities. If you have a CISO, for goodness’ sake, give them the authority they need to do their jobs.
Originally appeared in Cybersecurity Law & Strategy, May 2021. © ALM Media LLC. Reprinted with permission.
Learn more about ACEDS e-discovery training and certification, and subscribe to the ACEDS blog for weekly updates.
Kenya received her law degree from The College of William & Mary. She can be reached at [email protected].