Who really owns security in the enterprise?
As more companies have faced risk, the list of security stakeholders has grown
Security leadership is not always neatly outlined in a organization. Whether it's the chief information security officer or the chief security officer, security ownership by title may seem obvious.
But as an increase in large-scale breaches and embarrassing cybersecurity shortcomings have illustrated security's bottom-line impact, different parties have become invested.
"Cybersecurity is now truly a cross-disciplinary and cross-functional element in any organization," said Zulfikar Ramzan, chief technology officer at RSA. "So the first thing that's got to happen is that mindset has to be inculcated in an organization, that it's not just about one person's [job], it's a shared responsibility."
A security "mindset has to be inculcated in an organization, that it's not just about one person's [job], it's a shared responsibility."
Chief technology officer at RSA
As technology has advanced, the list of security stakeholders has grown significantly, according to Ramzan:
The CFO cares about loss exposure.
General council cares about intellectual property and compliance.
The CIO is concerned about ROI, ensuring that what they have invested in technology is paying off.
The CEO cares about brand reputation.
And the chief risk officer may be concerned about business continuity and impact.
Though the CISO or the CSO might technically take ownership and find themselves in the hot seat if something were to go wrong, security has become a board-level concern.
For Kris Lovejoy, president of BluVector, security falls under the domain of all senior business leaders. When she was at IBM, for example, security was managed by a steering committee run by the heads of all lines of business, including the chief legal officer and the chief marketing officer.
"I would meet with them on a quarterly basis and they proofed my budget, reviewed my strategy and then any time there was a significant incident, they would help me determine whether we were going to disclose," Lovejoy said. By distributing ownership of security, it became a "team sport."
"It either has to be financially or legally prudent to make the security decisions we do."
Chief security officer and vice president at Citrix
The reason security has increased in importance so greatly across organizations is because the two main decision makers in companies are finance and legal, according Stan Black, chief security officer and vice president at Citrix.
"When you go under that guise, it either has to be financially or legally prudent to make the security decisions we do," Black said. When he speaks to the board, the discussion revolves around protecting the business based on risk for both the business and for customers.
At Citrix, Black takes ownership of security, reporting to the CFO who also serves as the chief operating officer. To declare a breach, both he and the general council would have to sign off.
Why not make the CIO responsible?
For businesses, risk can often be introduced at the infrastructure level, an issue that could potentially fall under the CIO. But in more enterprises, security is not their sole responsibility. Though they too have an investment in ensuring the reduction of enterprise security risk, CIOs tend to own internal business applications and end user computing, among other things.
The CIO owning security is a compartmentalization of the subject, according to Justin Somaini, chief security officer at SAP. Ten years ago, as many as 80% of CISOs reported directly to CIOs. Now, it's an even split, with more CISOs reporting to general councils or CROs.
"What we have in some organizations is a plethora of chefs driving the security narrative and nine times out of 10, when a problem occurs, everybody is pointing their fingers at each other."
Chief security officer at SAP
"I've had this question so many times, 'where do you want to report?' Honestly I don't care, as long as the culture allows me to reach out, build an executive or board level conversation that's mature, I'm empowered and supported to be able to engage in that conversation, to drive transparency and be held accountable," Somaini said. "What we have in some organizations is a plethora of chefs driving the security narrative and nine times out of 10, when a problem occurs, everybody is pointing their fingers at each other."
Though it is important to have board level-investment, Somaini believes in a centralized approach to security organizations. "If I do a bad job, that's easy to fix. But if there's three of us, you're not going to know, really, where the real root problem is, which causes a challenge."
Whether a CISO reports to the CIO, the CFO or directly to the CEO, the most important part is an organization's security mindset. A "gap of grief" is created when organizations cannot properly connect security details and business objectives, according to Ramzan.
"The CISO now has a new role. Their role can't just be to do security in a silo that they've cared about in their own little vacuum," said Ramzan. "They've got to think of security as cross-functional as well, which means being able to speak in the language of your board and your CEO, being able to speak with your CFO and really talk about things not just in pure technical terms, but in business terms."
Follow Naomi Eide on Twitter