The adage “there’s no substitute for experience” gains greater prevalence every day. Despite the best efforts of classical instruction, after-work seminars, and the growing mountain of online instructional videos, nothing can prepare an individual for life’s hurdles more appropriately than previous experience. This is especially true in the field of cybersecurity leadership.
Based upon the most recent State of Cybersecurity 2019 research issued by ISACA, most individuals in the field of cybersecurity are more comfortable working in an organization where the reporting structure culminates in an individual more likely to have experience in the field of information security, specifically a CISO.
Indeed, analysis of the data provided by information security leaders indicates that, when presented a listing of potential executives, the CISO generates the most confidence, while other types of executives, specifically the CIO, garner less.
There are multiple factors that organizations take into consideration when establishing a cybersecurity function. These factors are universal in applicability yet unique in specific organizational implementation.
For example, available operational budget often determines the number of individuals that may work on a cybersecurity team, or if the team members are dual-hatted – working on other technical operations when cyber incidents are not occurring. Additionally, the type of business may determine what type of cybersecurity team is required to maintain security – the needs of a global cloud hosting provider are different from a localized construction business. Included in these cybersecurity team considerations are reporting structure, such as who the cybersecurity team reports up to for items such as operational tempo, budget and executive representation.
As the field of cybersecurity is still relatively nascent compared to most other work fields, the reporting structure of cyber teams into executive leadership is oftentimes maligned and can be quite inconsistent. Some cybersecurity teams report to chief financial officers while other teams report directly to the chief executive officer. However, often, cybersecurity teams report to the CIO or the CISO.
While a casual glance at the CIO and CISO positions can lead a passing observer to believe that either of these placements are acceptable, closer scrutinization, as shown in ISACA’s State of Cybersecurity report, indicates that, regarding organizational confidence, there exists a marked difference.
Specifically, 79% of respondents in enterprises whose cybersecurity team reports to the CISO indicate that they are at least somewhat confident in their cybersecurity team’s ability to detect and respond to cyber threats. However, when the same question is asked of individuals in organizations wherein the cybersecurity team reports to the CIO, only 68% indicate that they are at least somewhat confident. While some analysts may dismiss this eleven percent difference as trivial, it gains greater emphasis when learning that 74% of respondents in enterprises whose cybersecurity team reports to the CEO indicate that they are at least somewhat confident in their team’s abilities to detect and respond to threats, thus making the CIO the lowest ranked of the top three.
Many questions arise when considering why organizations are more confident in their cybersecurity preparedness when a CISO is the ultimate authority and representative, rather than the CIO. However, it is important to remember that these two roles have separate functions and responsibilities.
In the instance of the CIO, frequently the primary responsibility and driving function is to ensure that systems are available, functionable, and usable by the organizational members. Many times, these individuals come from the information technology enablement sector, with some finding their footing at help desks and on enablement teams. However, CISOs frequently build their careers with an emphasis on the confidentiality and integrity of data. As such, their backgrounds typically include experience in security positions wherein they are exposed to incidents and attacks. This creates a unique perspective that acknowledges the importance of connectivity and information accessibility but refuses to sacrifice security.
These professionals often build systems leveraging methods such as secure DevOps. As a result, it makes sense that organizations in which cybersecurity reports to a CISO feel more prepared for a cyber incident and have greater faith in their response teams.
Although several solutions exist to combat cyber-attacks and incidents, it is important to note that not all cures are effective as others. Just like in any other professional field, while classes, seminars, and schooling are important, when it comes to confidence in capability, there is no substitute for experience.