NO, says technical security consultant Edward Farrell
CYBER security is currently taking the same trajectory as the Dot-Com Bubble and not in terms of overvaluation or an impending catastrophic economic bubble, but in terms of understanding our role in organisations and markets, specifically how and where we provide value.
It is for this reason above all else that the CIO should not report to the CISO in the same way a CEO does not report to their lawyers or their CIO.
What do I mean by this?
Information and information technology derive their purpose from the business; without an explicit set of requirements or mission, the role of technology ceases to exist.
For that reason the CIO will implement systems and technologies that support the organisation.
Nested in the information technology requirement is the necessity that information is readily available, free from disclosure or modification, and that a positive assurance can be made as to this state; we now call this requirement cyber security.
The CISO's role is to enable this, however as this activity
of security is often an enabling factor on par with technology, organisational leadership will often demand input from the security function.
Fundamental to this question is the assumption that report lines and rigid structures are effective (a view often imposed by MBA graduates who have never had to apply in team work, technical competence, attention to detail or empathy).
I hypothesise that a collaborative approach employing multiple teams and services can be employed to achieve an organisation's desired outcome. Depending on the task at hand or point in time, responsibility/leadership can be delegated to the subject matter expert
at the time, which expands beyond the CIO/CISO and may include marketing, communications and data science to name other disciplines within technology that should be on an equal footing.
Before we start jockeying for positions of leadership for empire building, CV padding or to augment our next TED Talk, I think we need to return to a phase often quoted by Major General Marcus Thompson, former head of Information Warfare for the Australian Defence Force: "Cyber security is a team effort.”
Let's find ways for the teams to achieve our desired outcome.
◼ Edward Farrell is director and principal consultant at Mercury Information Security Services