In the past Information Security and Risk were not in any measure a key focus areas for the CIO. Today there are multiple risks that every business faces and cyber security is now becoming on the radar of the both the board and the CIO.
What happened? Well as businesses moved into the increasing digital agenda we have seen basic manual procedures become digitized and as a result this is now very much in-scope for hackers to target.
There have been very public events like the Target breach, which has increased the awareness of the threat and the potential for reputational damage.
But despite this increased sensitivity, it would be unusual to find a CIO that has specific performance plan measures that relate to Cyber Security. For the average CIO, there are always an increasing number of objectives that are added to your annual review.
Usually there are too many and the wise CIO will try to keep this to no more than 6-7 specific objectives. In this context it is not surprising that the CIO will have a more general written goal that encapsulates risk management and compliance. Within the body of this goal, would you find a reference to “Cyber”.
Where does the CISO report?
It is the case that we can find that the CISO reports into the CIO. However it is also apparent that we often find the CISO actually has a reporting line into a CTO.
One can argue that neither of these is ideal, you either report into the person in charge of technology or the person responsible for the IT Strategy & overall delivery.