Where within your organization does the cybersecurity function fall, and to whom do they report – the CEO, CIO, CTO, or Security Office? I have recommended for over 25 years that the cybersecurity function is a security responsibility, not a technical responsibility.
Most cybersecurity professionals I’ve talked to over the years report to the CIO. I personally believe that the cybersecurity function is a specialized discipline of security, not a CIO function. Generally, organizations place all technology-oriented disciplines under the CIO.
I believe that having the cybersecurity function in the CIO office causes a conflict of interest for the CIO. CIO’s report directly to the CEO, whose mission in the private sector is to make money. The CIO’s mission is to provide information systems and technology that make the company more efficient and effective at the lowest cost. The CIO also helps the company stay on the leading edge of technology, which hopefully translates into making more money. It is hard to quantify the impact on the bottom line of the cybersecurity function until you have a breach.
The Security Office should also report to the CEO, and their mission is to provide all aspects of security for the organization. This includes the very different security disciplines of physical security, personnel security, and cybersecurity. You don’t put personnel security in the Human Resources office (or do you?); you have personnel security in the Security Office because it is a security function. You don’t have physical security in the Building Maintenance/Logistics Office (or do you?); it also falls under the Security Office.
I concur that most Security Offices don’t have the technical expertise to provide technical cybersecurity, but resources should be redirected and security personnel educated and trained. Where in your company does the cybersecurity function fall? To where/to whom do you think they should report?
Jim Christy is VP of Investigations and Digital Forensics at Cymmetria. Jim retired from the U.S. government in 2013, ending a career investigating computer crimes and running digital forensics labs that began in 1986 at the Air Force Office of Special Investigations.