In the past Information Security and Risk were not in any measure a key focus areas for the CIO. Today there are multiple risks that every business faces and cyber security is now becoming on the radar of the both the board and the CIO.
What happened? Well as businesses moved into the increasing digital agenda we have seen basic manual procedures become digitized and as a result this is now very much in-scope for hackers to target.
There have been very public events like the Target breach, which has increased the awareness of the threat and the potential for reputational damage.
Not a Performance measure in sight
But despite this increased sensitivity, it would be unusual to find a CIO that has specific performance plan measures that relate to Cyber Security. For the average CIO, there are always an increasing number of objectives that are added to your annual review.
Usually there are too many and the wise CIO will try to keep this to no more than 6-7 specific objectives. In this context it is not surprising that the CIO will have a more general written goal that encapsulates risk management and compliance. Within the body of this goal, would you find a reference to “Cyber”.
Where does the CISO report?
It is the case that we can find that the CISO reports into the CIO. However it is also apparent that we often find the CISO actually has a reporting line into a CTO.
One can argue that neither of these is ideal, you either report into the person in charge of technology or the person responsible for the IT Strategy & overall delivery.
At face value this all looks ok, but when there is a conflict of priorities then who wins the argument. I’ve seen large programs of work and also digital transformation changes where there is someone arguing to short change the cyber security (penetration tests) that is where the CISO comes into conflict with a CIO manager.
On the other hand, when a CISO reports into the CTO – one can find that server patching might not be as higher priority as some other new cloud migration
I’ve recently read some interesting reports that argued that the CISO should report into the CEO. That’s another question in itself, but for now I would say it is best to have the CISO report as high in the organisation as possible.
The Board is starting to care
The other reason why a CIO should care is that his \ her Board is starting to realise that cyber security is a tremendous business reputation risk. Let’s take a few examples:
- DDOS Attacks
- Zero Day Malware
- Business Economic Compromise (BEC Whaling Attacks)
In each case we have a cyber security threat that has the potential to both disrupt the business, and also cause reputational damage to the enterprise. Hence the Board cares and as a result you the CIO has to pay attention to these new threats.
No Bonus but certainly downside
This is not a topic that is going to win you any new reward for doing well. In this regard there is no “carrot” just a ‘stick”, should you and your team not succeed in keeping cyber security threats at bay.
The only benefit is that you may be able to retain your position by managing what is now a significant enterprise risk.
Yes, the CIO should care about Cyber Security.