It's Time to Set CISOs Free

Cybersecurity is hard. It is especially hard in higher education. At large universities, we engage in activities and functions that are common in many industries, from banking to law to medicine. As large enterprises, we handle lots of money. We process and store millions of identities. We create valuable intellectual property. We therefore must defend against the same threats as financial services, government, and retail companies. Further, we must protect our information while also supporting a mission and a culture that value privacy, agility, innovation, and autonomy.

Doing cybersecurity effectively in higher education is complicated and difficult. The chief information security officer (CISO) is charged with the bulk of this defense, and in academia and the wider world the CISO has historically operated within the confines of IT departments, reporting to the CIO. As early as 2015, however, K logix found that close to half of CISOs in commercial companies reported to someone other than the CIO and more than half expected this trend to continue. In contrast, as Jeffrey Pomerantz recently reported, 83% of CISOs in higher education report to the CIO.

Although the commercial world has different goals and traditionally moves much faster than our field, I think that waiting to see if a similar change in CISO reporting structure will take hold in higher education will only hurt us. At least one study has shown that, in enterprises where CISOs report to CIOs, a breach is more likely and, on average, more damaging than in enterprises where CISOs have a different reporting chain. Although an exceptional CIO can certainly mitigate or overcome reporting-chain issues, it is unwise to depend solely on exceptional leadership.

The CISO in Higher Education

CISOs acquire and operate security technology and protect the institution's IT systems and information. According to a recent EDUCAUSE Center for Analysis and Research survey of CISOs in higher education, CISOs typically lead compliance programs such as those related to Payment Card Industry (PCI) standards and the Health Information Portability and Accountability Act (HIPAA). This work includes performing risk assessments on systems that process high-risk and regulated data. Many CISOs are also the custodians of digital identity, leading an institution's identity and access management efforts. Knowing who is behind the keyboard and which data they are entitled to access is a critical security function.

Further, as the European Union's General Data Protection Regulation [https://www.eugdpr.org/] (GDPR) becomes operational, many colleges and universities are establishing the role of privacy officer. At some institutions, such a position reports to the CISO, while in smaller schools, the CISO is likely to wear the privacy hat, too. In any case, all of these CISO roles are becoming more important at all institutions, with significant overlap and impact across campuses.

Historically, the CISO has been a member of an institution's IT department, reporting to the CIO and focusing on the technical aspects of protecting against, detecting, and responding to attacks on IT systems. Although this remains largely true today, this arrangement is being increasingly questioned in many fields for both security and financial reasons.

For example, the 2014 PwC Global State of Information Security Report found that organizations in which the CISO reports to the CIO had 14% more downtime and 46% higher financial losses due to cyberattacks than organizations in which the CISO reports directly to senior leadership. Some of this latter group of CISOs report to the same person as the CIO, while others report to a leader completely outside the CIO's chain, such as the chief compliance officer, chief risk officer, or the CEO.

Findings such as these have increased support for CISOs to report outside the CIO. Compliance and regulatory bodies, including the Defense Contracting Audit Agency and the Financial Industry Regulatory Authority, are encouraging (and in some cases demanding) that CISOs not report to the CIO because of the need for timely and accurate risk reporting. External auditors are also increasingly recommending a shift in the reporting structure so that enterprises better understand cybersecurity risks and mitigate them appropriately.

I am currently a CISO reporting (like our CIO) to the university's provost and CFO. I've previously been a CISO reporting to a CIO, as well as serving as the CIO and CISO at the same time. I have also had the CISO report to me in two different roles: as CEO and CTO. In addition, I've had discussions recently with many of my peers at universities about their frustrations with their current reporting structures. All of these experiences have led me to see a clear need for change in the CISO's role and reporting structure in higher education.

Why the Change?

A survey of articles¹ asserting that CISOs should not report to CIOs boils it down to four issues and justifications; I've summarized each in the following and added a fifth specifically for higher education institutions.

Separation of Duties

The CISO's role demands a separation of duties to minimize the possible conflicts of interest entailed in being a CIO-subordinate CISO.

CIOs are under tremendous pressure to deliver, and security rarely speeds up or simplifies IT operations. As a result, IT staff members under the CIO might be tempted to delay or ignore security tasks so that they can demonstrate true progress on their CIO's initiatives.

Also, if institutions are to understand security issues and address them with proper priority, candor in reporting is critical. In many cases, security issues are a result of IT errors or omissions that reflect on the CIO; as a result, security team staff members are more likely to report bad news if their reporting chain doesn't run through the CIO. Also, even when everyone takes the correct actions, a separate reporting line removes any doubt about reports being tempered or filtered.

Institutional vs. IT Risk

Most leaders understand that cybersecurity is an institutional risk — much like Title IX, research misconduct, or loss of funding — rather than just an IT risk. Thus, the resourcing of cybersecurity must be weighed against all of the other risks the institution faces, and not just its IT risks. This is especially true because cybersecurity changes so quickly and long-term planning is difficult.

Also, institutions may need major security investments, which give rise to funding questions such as whether to stop other strategic IT projects or fund the needed investments from other campus activities. The institution's leadership must address these campus-wide issues, not the CIO alone.

Visibility

CISOs who report outside CIOs are more visible to senior leadership. Given that accountability for breaches ultimately falls on senior leaders, direct relationships with university leaders such as deans are critical for an effective cybersecurity program.

University leaders are busy, and they might not make time for a CISO if they perceive cybersecurity as an IT function. Also, in some universities, CIOs guard their relationship with those leaders and don't allow their CISOs access.

By sitting with other senior staff in meetings, CISOs can build relationships and understanding. Although boards are encouraged or required to consider cybersecurity, CIO-subordinate CISOs must work through CIOs rather than regularly participate and provide an independent voice in board meetings. In contrast, the natural relationships that develop with a nonsubordinate CISO are extremely valuable to an institution's cybersecurity program.

Legal and Regulatory Exposure

More laws and regulators are strongly suggesting or even demanding that CISOs not report to CIOs. The GDPR, for example, requires some organizations to appoint a data protection officer who reports to senior management. Most regulations call for a governance framework with appropriate separation of duties, taking into account the size and mission of the enterprise. Having CISOs report to the president or a senior university leader may be a stretch, but a CISO who does not report to the CIO will be easier to defend in a post-breach audit. Also, many of my peers expect to see the United States adopt GDPR-like regulations.

Decentralization and Cybersecurity

In higher education, and especially in research universities, IT is much more decentralized than in other industries. As a result, distributed IT units do not usually report to the CIO and, in some cases, they are quite independent of the CIO.

It can therefore be politically easier to create a single cybersecurity program under an independent CISO rather than associate it with central IT, which may have limited influence over unit IT. Security can be scaled across various units, and having multiple independent security programs is a recipe for disaster. Also, in my experience, institutional leaders are typically content to be part of a university-wide security program, while individual units are much more reluctant to rely on a centralized IT.

Change: At What Cost?

However valid the benefits, there are also disadvantages to a CISO not being part of the CIO's team, and nonsubordinate CISOs must work to overcome these challenges. Central IT is typically an institution's largest IT organization and manages the highest-risk information. Being part of the IT leadership team helps all leaders understand each other's problems and collaborate better. Further, the security team relies on central IT to deliver most security projects and usually supports security tools. When those projects are under the CIO, they typically get more attention and priority than when they are docked elsewhere.

Strong relationships are key to overcoming these obstacles. A nonsubordinate CISO must work hard to build relationships with central IT leaders. CISOs who don't report to CIOs need broader experience and talents to succeed. Good CISOs will be institution-wide leaders and coaches for their team members, helping them develop and putting them in situations that challenge but don't overwhelm them.

Also, a CISO that does not report to the CIO will likely report to someone who has little understanding of cybersecurity or even large-scale IT operations. Such a CISO could easily lose credibility by overstating a risk, mishandling a disagreement, or myriad other mistakes that might befall a senior leader. In such cases, there's no CIO to cover for them; in fact, the CIO might even be an antagonist. To succeed, CISOs who are not subordinate to CIOs must be credible senior leaders in their own right.

Leadership Is Key

In higher education, we clearly need strong leaders in both the CIO and CISO roles. To develop that leadership, CISOs should have experience both as IT leaders and in the institution's business: teaching and research. It's a tall order, but a leader who has spent an entire career in cybersecurity will have to work extra hard to gain the perspective and credibility necessary to be effective. Finally, regardless of the reporting structure, the CIO and CISO must be strong partners as they share responsibility for an institution's cybersecurity.

Ultimately, there is no reporting structure that good leadership can't overcome — and no reporting structure that will fix bad leadership.

Note

1. Among the many recent articles on this topic are "Eight Reasons Why the CISO Should Report to the CEO and Not the CIO" [https://fastlyssl.cio.com/article/3522983/eight-reasons-the-ciso-should-report-to-the-ceo-and-not-the-cio.html], CIO, January 6, 2017; John Armstrong, "The Role of the CISO in Preventing Data Breaches," Tripwire, February 20, 2018; Mekhala Roy, "Is the CISO-CIO Reporting Structure Hampering Security?" TechTarget, October 2017; and Christopher Veltsos, "Is Your CISO Out of Place?" SecurityIntelligence, March 1, 2016. See also "Inside the Changing Role of the CISO," for an interesting 2013 interview between CIO.com's Sharon Florentine and Matt Comyns, who at that time was global co-head of the cybersecurity practice at Russell Reynolds Associates. ↩

---

Donald J. Welch is the CISO at Penn State University.