We wanted to share with you an important update on the nature of Reporting in the business IT hierarchy, and how that is affecting small, medium, and large companies. Namely, a recent Microsoft CISO Roundtable event in New York City that focused on CISO reporting to senior management, and how it has shifted due to the IT security crisis.

On October 17, 2017, a Microsoft CISO Roundtable discussion, led by Sean Sweeney, Chief Security Advisor for the Enterprise Cybersecurity Group took place, which highlighted, among other things, how the hierarchy has shifted in the business IT world, due to incident and response reporting and just how serious adverse incidents and the recovery time and types of responses involved are for businesses in 2017.

An interesting point of discussion revolved around the fact that CISO’s used to report to CTO’s (and other senior management IT positions) but now they report to CEO’s and COO’s and must report to the board of directors, and how that has changed the metrics they monitor as part of their jobs vs the metrics they report to the board of directors. The boards are most interested in “how many incidents have we had, how long did it take to discover, and how long to remediate,” etc.

Another interesting topic was on recognizing that compromised systems are unpreventable today. In other words – they are going to happen.  So, the challenge is to make the cost of a successful hack much more expensive by eliminating the easy, inexpensive attacks like exploit kits. Forcing these bad actors to spend time, money and resources to customize zero-day exploits greatly reduces the number of attempted attacks.

But as we know, since 100% prevention is impossible long term, detection and response systems are critical in today’s cybersecurity world. But, of course, each organization can only invest so much in a given period.

A relevant strategy expressed by Mike Lamberg, VP, Chief Information Officer at OpenLink, is “Secure what is reasonable, monitor everything else.”

To put in perspective how scary The Cyber Security World is today, Microsoft has informed us that they are aware that malware attacks are available for purchase within hours of new vulnerabilities being announced (on patch Tuesdays).

The day of the New York CISO event also featured the Microsoft Security Forum, which focused on the major-enhanced, now in place or soon to be released on what Microsoft refers to as their 4 pillars of Cyber Security: Identity and Access Management, Threat Protection, Information Protection, and Security Management.

How the New CISO Reporting Affects IT Staff Arrangements

With the new reporting system, increasing scrutiny is put on IT staffers – especially in mid-size and larger organizations with a major C-level executive and Board of Directors situation dominating the corporate culture and hierarchy of reporting.

And, this only adds to the stress and strain already felt by overburdened IT staff. Our POV at Krantz is that IT employees within corporate environments are already badly in need of supplemental help, in the form of a managed services provider (MSP) such as us to temper the average overloaded IT staff’s plate and to also help that company truly excel in business IT network productivity.

The latest standardized corporate policies on CISO reporting is one more big reason to have a qualified and seasoned managed IT services company augmenting in-house IT human resources

CISOs Increasingly Reporting to CEOs and Other Top Executives

A Dark Reading report in August 2015 noted that 50 percent of CISOs in one survey predicted they would be reporting to the CEO in the near future. However, the by March 2016 the same people surveyed said that 50 percent reported to the CIO, 15 percent to the CEO and the rest to the COO or a risk leader.

A noteworthy development on this front is that 92 percent of the CISOs in a K Logix Study reported some level of interaction with the company board of directors. Yet most also found the relationship to be lopsided and wished for more engaged conversations on risk.

A similar picture was painted in the “Governance of Cybersecurity: 2015 Report” by the Georgia Tech Information Security Center (GTISC). The report noted that “segregation-of-duty issues continue to be a problem in CISO/CIO reporting lines.” It also observed that the numbers are like those in its 2010 and 2012 reports: 40 percent of CISOs report to CIOs, 22 percent to the CEO, 8 percent to the CFO and 6 percent to general counsel.

It’s understandable that CIOs and CFOs would not volunteer their own position and that of their subordinates for reorganizing. Why would anyone expect them to approach the board or the rest of the C-suite and say: “I think the CISO should no longer be reporting to me as it is a source of conflict and prevents direct, possibly heated — yet necessary — discussions concerning cyber risks”?

In a piece from The Wall Street Journal, Avivah Litan, a Gartner cybersecurity analyst, said, “The security function needs to be elevated to [the] CEO level to give the organization the check and balance, and integrity, it needs.” This isn’t the first time it’s been noted that security leaders should have a dotted line to the board itself.

Repositioning the role away from reporting to the CIO might be especially important given other changes in the business. A study by Insight UK titled “The Reinvention of the CIO” found that 22 percent of senior directors think most of the technology budget should sit with the board, while 55 percent maintain that the CIO is a level below other C-level management positions.

Additionally, 44 percent felt that the CIO has lost importance in the past two years. If CIOs lose their executive seat status, where does that leave the CISO?

With Krantz Secure Assistance, It Will Leave You Right Where You Should Be

With our help, you as a CISO in a fast-growing organization won’t have to worry as much about the when, why, and what you’re reporting to the C-level executives. Having supplementary IT services management or a vCIO helping you out has been a huge plus for companies in NYC – not only where our company is involved, but industry-wide, wherever companies have an MSP in their corner.

The only problem is, it’s getting harder and harder to find a truly dedicated, competent, and experienced MSP who’ll put its nose to the grindstone for you.

But there’s good news: We’ve been in the computer security business since 1980. Whatever shifts and changes occur in your executive hierarchy, we can help calm the waters and make sure you’re reporting fewer IT adversities.

Ready for a Leading MSP in New York City to Help Your Chief Risk Officer or CISO?

Just call a Krantz IT consultant today at (212) 286-0325 or email us at [email protected] for more information on how our NYC IT consulting company can get you and your business venture to a place of optimum IT security, performance, and productivity, and ease the burden of CISO reporting to senior-level executives.