The CIO Sticking Point - Time to Get them out of the Reporting Line

Posted on August 8th, 2008 by Drazen Drazic

CIOs cop quite a bit of criticism from the Information Security industry and the people in it. (They’ve also copped quite a bit in posts here). Rightly so I believe in most cases.

There are some really good CIOs out there when it comes to understanding and working on Information Security issues and doing the right thing by their companies, but to be honest, there are many CIOs that fail dismally also. Regardless of whether they’re getting advice and guidance from their security people, ultimately, a level of accountability must sit with them.

If you’re a CIO and you’re not reporting state of risk and security on a regular basis to your CEO and/or Board, you not only are putting your organisation at greater risk but looking at the bigger picture, also business partners, shareholders and everyone else associated with that business? (The CFO is reporting financial position and risks on a regular basis, so why aren’t you?)

What is the problem?

In brief, it comes down to some or all of the following:
- A general lack of understanding and appreciation of the true risks (and what should be being done)
- Security projects not seen as a high priority / high profile projects
- Lack of budget to dedicate to security
- Fear of looking bad [to senior management]

I could also add that some don’t really care, and while that may be the case for some, I’d like to hope that any in this category would make up less than 1% of the CIO population, (though some of you readers may have differing opinions on this). In my opinion, the four points above probably cover the majority of reasons why CIOs fail when it comes to Information Security.

It’s interesting when we get the opportunity to present the findings of work we’ve undertaken for an organisation to the CEO and/or Board as opposed to just talking with the IT Security Manager or CIO.

The IT Security Manager (or CSO) generally takes issues reported seriously and attempts, to the best of their abilities vs. organisational roadblocks (ie; sticking points) to get the issues resolved. They’re generally on the same wavelength and understand what these issues potentially mean to the business. (Aside: More IT Security Managers and CSOs should be the CIO).

The CIO - Somewhere along the line, the logic in terms of impact and potential risk to the business gets lost and clouded as they assess the report and meld it with the 4 bullet points mentioned above - STICKING POINT. And this is where the majority of Information Security issues remain - filed away in the too-hard basket. Information security people start complaining, lose respect and confidence in the CIO, become disgruntled and most eventually leave to look for greener pastures.

Interestingly, CEOs and Boards are more interested in listening to Information Security issues being faced by their business than most CIOs are. Their eyes don’t glaze over and they genuinely care and want to understand the potential impacts to the business. In almost all cases where we’ve been invited to present to the CEO and/or Board, that organisation has rapidly changed their mindset and approach to Information Security and Risk Management practices.

Is there a better argument for removing the CIO out of the reporting line for Information Security? We can ramble on and on about awareness growing, CIOs getting more involved, things are changing etc etc but is that really the case?