Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Cloud

8/23/2016
01:00 PM
Adam Shostack
Adam Shostack
Commentary
Connect Directly
Twitter
LinkedIn
RSS
E-Mail vvv
50%
50%

CISO Security ‘Portfolios’ Vs. Reporting Structures

Organizational structure is a tool for driving action. Worrying about your boss's title won't help you as much as a better communication framework.

Every way to structure an organization has weaknesses.

In the first place, every executive learns early in their career that different structures have different strengths and weaknesses, and one reason to reorganize semi-regularly is to shake up some of the inertia that a structure brings. Having CISOs reporting to the CEO takes them out of the operational structure and puts them in a policy role, which creates risks that operations will hide deficiencies. Having CISOs in an operational role means that someone else might be formally responsible for risk sign-off, and their boss might hide deficiencies.

Second, every organization is different. Asserting that Amazon and Apple should have the same CISO reporting structure ignores the fact that Amazon is organized by products (retail, AWS, prime), while Apple is organized functionally (engineering, marketing). Claiming that General Electric and General Motors both need a CSO who reports to the boss ignores that GE is a conglomerate and GM is thinking pretty deeply about what their world looks like as they become a software company. (Now, you might argue that both have a CFO, but Sarbanes-Oxley mandated that role for public companies. The expansion of executive teams is getting attention in Harvard Business Review.)  

Third, more important than where you report is how you work the organization. Of course, title is important. I remember a friend marveling at how much faster his meetings got accepted after he was re-titled from director of security to “chief.” Similarly, being a direct report to the boss is a signal of the importance a company is placing on a role. But unless everyone in IT reports to the CISO, they’re fundamentally an advisor, not the decision maker. And as an advisor, they need to work the org. They need to talk to the leadership of the company and balance between various priorities while advocating for security. That balancing and perspective is helped by being close to leadership and being brought into more conversations, and hindered if there’s an expectation that the org chart brings power.

Fourth, the CEO’s a busy person. They spend their days making decisions that no one under them can make. Their bandwidth for mentoring and advising may be more limited than other leaders.

Portfolio views are under your control. You can choose to use them without getting into a discussion of what the org chart should look like. A portfolio of controls is clearly and unambiguously in your domain. Using portfolio views is unlikely to step on anyone’s toes. You can use portfolios to anchor your discussions as you work the org. A good view like the Cyber Defense Matrix grounds the conversation by avoiding jargon and linking to the business.

In The Effective Executive, Peter Drucker talked about concentrating your effort on the things that matter most. Arguing about reporting structures is a less useful place for your effort than getting a grasp on the whats and whys using portfolio views.

Related Content In This Series:    

Adam is a leading expert on threat modeling. He's a member of the BlackHat Review Board, and helped create the CVE and many other things. He currently helps many organizations improve their security via Shostack & Associates, and helps startups become great businesses as an ... View Full Bio
 

Recommended Reading:

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Manchester United Suffers Cyberattack
Dark Reading Staff 11/23/2020
As 'Anywhere Work' Evolves, Security Will Be Key Challenge
Robert Lemos, Contributing Writer,  11/23/2020
Cloud Security Startup Lightspin Emerges From Stealth
Kelly Sheridan, Staff Editor, Dark Reading,  11/24/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win an Amazon Gift Card! Click Here
Latest Comment: This comment is waiting for review by our moderators.
Current Issue
2021 Top Enterprise IT Trends
We've identified the key trends that are poised to impact the IT landscape in 2021. Find out why they're important and how they will affect you today!
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-29367
PUBLISHED: 2020-11-27
blosc2.c in Blosc C-Blosc2 through 2.0.0.beta.5 has a heap-based buffer overflow when there is a lack of space to write compressed data.
CVE-2020-26245
PUBLISHED: 2020-11-27
npm package systeminformation before version 4.30.5 is vulnerable to Prototype Pollution leading to Command Injection. The issue was fixed with a rewrite of shell sanitations to avoid prototyper pollution problems. The issue is fixed in version 4.30.5. If you cannot upgrade, be sure to check or sani...
CVE-2017-15682
PUBLISHED: 2020-11-27
In Crafter CMS Crafter Studio 3.0.1 an unauthenticated attacker is able to inject malicious JavaScript code resulting in a stored/blind XSS in the admin panel.
CVE-2017-15683
PUBLISHED: 2020-11-27
In Crafter CMS Crafter Studio 3.0.1 an unauthenticated attacker is able to create a site with specially crafted XML that allows the retrieval of OS files out-of-band.
CVE-2017-15684
PUBLISHED: 2020-11-27
Crafter CMS Crafter Studio 3.0.1 has a directory traversal vulnerability which allows unauthenticated attackers to view files from the operating system.