The relationship between CISOs and C-level executives isn’t always smooth sailing. Data shows that 30% of CISOs feel they don’t receive enough support from their CEO, which Mike Mestrovich, the former principal deputy chief information officer of the CIA, told us comes down to a few key things, like a changing structure in operations and risk.
“I would argue that the risk dynamic has changed substantially over where it was 10 years ago,” he said. “Therefore, if the risk calculus changes, should we reexamine the reporting structure, or at least how the CEO gets information to ensure that it’s timely and unfiltered?”
To better ensure CEOs and CISOs are on the same page, Mestrovich—who now serves as the CISO at Rubrik, a data management company in Palo Alto, California—said CISOs must prioritize clear communication.
“Arguably, you don’t want the CEO to be hearing from the CISO in a vacuum,” he said. “I would argue that the CISO needs to be briefing the entire executive leadership team of the company on a routine basis, so that all the business unit leaders have that information, and they can adjudicate how to go forward based on the cyber risk as presented by the system.”
Houston, we have a problem. Because of the way companies are set up with a clear reporting structure, CEOs often get a filtered view of requests from CISOs, but even within these hierarchical structures, Mestrovich says there are more than a few ways to tighten up communication and establish a system that works for the involved parties.
“Obviously, one [way] would be that the CISO ultimately reports to the CEO, just as the chief marketing officer does, the chief of human resources, the chief legal officer…and maybe that environment works for certain organizations.” Another way, he says, is to imagine a dotted line that connects the CISO to the CEO.
Top insights for IT pros
From cybersecurity and big data to cloud computing, IT Brew covers the latest trends shaping business tech in our 4x weekly newsletter, virtual events with industry experts, and digital guides.
With that, both the CEO and CISO can figure out the best way to approach reporting, exploring what the right cadence for information flow would look like. “Is that something on a weekly basis, something on a monthly basis?” he added, also noting the importance of clear, routine communication with the board.
Other issues CISOs and CEOs face, Mestrovich said, lie in the allocation of resources as well as the degree of organizational risk present. That means thinking about the resources that a company can offer up based on a “revenue and pipeline perspective,” as well as the company’s “future financial outlook.”
“When you put those two things together, you would argue that an allocation of resources to a certain level should be able to buy down some degree of risk.”
Paper trails. Given the critical security issues that CISOs have to deal with, Mestrovich said CISOs should become adept at proper documentation.
“There needs to be a written record that shows this was the program, this is how the resources were allocated, these are the risks that we were going after, this is how we cover down on those…If somebody needs to go back and say, how did we get to this point? Well, at least there’s a paper trail.”
When it comes to encountering and managing security issues, there’s never going to be zero-risk, he also noted, further emphasizing the importance of communication.
“There’s never going to be perfect security,” he said. “All you can really do is you can use your best judgment and you can put in place the tools and the people and the processes to do the best that you possibly can with the resources that you have available.”