Is your information security crushed by the org chart?

Funny cartoon. It's understandable that some organizations definitely wouldn't want their shortcomings broadcast for all the world to see. I am more focused on the first sentence, "Information security is a major priority at this company." That statement is heard a lot when you are a penetration tester and even when you are a "blue teamer" for a company. There are times when the best cyber security team can be stopped cold by an organizational chart. If the team is not properly positioned inside the organization and given the authority to implement policies and controls then nothing happens. Let's look at some examples I have witnessed in the past.

At many places there is no CSO or CISO to this day. At times this put the infosec nerds reporting to the CIO. The CIO is most often concerned with things working or availability. In addition he/she will develop a technological vision for future services and offerings within a company and how to make things better and/or faster. While this person may consider security as a component of their job, it is not their sole purpose and balance may be difficult to achieve. In one organization I saw a CIO who had been moved from either accounting or HR and made the CIO. They had no relevant technology experience yet had been placed in charge of all technology. At that point in time IT within the organization was stagnant and falling behind the technological curve. They had a security group, but no CISO so security suffered the same fate as IT in general. In a different institution I have seen the CIO report to a department head and not to the leadership of the company. Any c-level personnel should have the eyes and ears of the top two individuals or governing board of an organization. Without that, this CIO was effectively just a middle manager with a fantastic salary and title yet no actual authority. I know some folks hold to the idea that people can effectively wear multiple"hats" and have even seen that work in smaller businesses. My experience with larger companies has shown that trying that simply enforces the status quo, which may be their goal and that's fine, and does not foster effective internal communications and relationships. In the simple diagram below I have shown the c-level folks as equal peers reporting to the number 2, as a minimum, within this organization. I have seen other examples where security reported to the CFO or was incorporated into internal audit but those models were short-lived examples. I would love to get some examples from the real world with success stories.

No comments:

Post a Comment