Open question no. 7: cybersecurity w/in the organization
It's more than 'where to place the CISO'
Some subjects are so triggering that when they come up you just want to put your fingers in your ears and scream. This is how I feel when I talk to peers about where they feel they should reside on their organization’s org chart. While this post will address that, the bulk of it will explore how cybersecurity and IT differ and how that impacts where and how cyber should be situated in an organization. This question is no. 7 from my list of open questions.
This is mostly a question for higher education. It’s fascinating to note that while in the private/commercial sector, 80% of CISOs report to the CEO, in higher ed it is the rare CISO that doesn’t report to the CIO. I could talk about the problems with this, but fundamentally, the CIO manages a cost center. Cut your IT budget? Sure! Fewer services or less quality of service. But you can’t value engineer risk out of the equation. Managing risk (even under shrinking budgets) is a strategically different issue than managing IT. It’s sad, tbh, how often leaders start an assessment of their cyber posture by asking about compliance or controls. Start with budgets and reporting lines, the rest are minor elaborations.
This exploration is necessary before we touch on where the CISO should report. Every middle manager wants to report to the Chancellor or CEO. But an org chart should reflect more than just the status of the individuals on it; it should articulate both relationships between functions as well as align like functions with appropriate management expertise1. I should warn you, there’s a lot of thinking out loud in this post, so the train of thought takes a scenic route.
As a new CISO full of youthful charm and good looks, I was struck by the close operational coupling between cybersecurity and IT. My first team was just down the hall from the systems group, which meant friendships sprung up and lunches were shared. Security engineers were included in a host of systems related planning. When my office was moved to be next to the networking group, similarly (and without any deliberate intention) the engagement and cross pollination of security and networking improved. Being part of the same organization, the same management, and the same budgeting processes reinforced this collaboration and simplified any approval process. We all rolled up to one executive and one budget office, basically less bureaucratic friction. This had me very much believing that cybersecurity and IT belonged together.
At the same time I discovered that the scope of cybersecurity (or more properly in this context information assurance2) is much broader than IT. I found myself helping with issues that have a strong moral or ethical dimension to them. Getting involved in student and staff conduct issues is surprisingly common for a CISO, both in terms of the digital investigation, and consequently helping the institution develop a nuanced understanding of its own policies. The same can be said for privacy related issues. While it’s tempting to view privacy issues as questions of ‘how to protect private information’, more commonly the discussion involves not only should we do something, but what are the boundaries of privacy. And of course CISOs are deeply involved in contract negotiation for services and goods. These ultimately revolve around legal questions of risk and liability that extend beyond merely the likelihood of data misuse. Rounding out this scope were the researchers that came needing help putting together grant proposals with required cybersecurity plans. I found it necessary to form partnerships with a host of offices: from alumni affairs, emergency management, the campus police, to the library. This breadth of scope is as exhilarating as it is exhausting.
I’m prattling on about this issue to distinguish the role and scope of cybersecurity from that of IT. Essentially I believe that not only is the scope of cyber broader than that of IT, but some of that difference is qualitative in nature. Cybersecurity is an integrated element of all IT discussions and concerns, but the reverse is not. Many IT leaders will say I’m viewing them myopically, correctly arguing that IT underscores virtually every activity in the modern organization. CIOs whose systems articulate business functions are truly stealth COOs: they know where the bodies are buried. Therefore IT must have the broader scope since it may have a role in most of these same areas. I don’t want to be dismissive of technology, nor the critical role it plays in an organization. However while IT can be a strategic partner for many organizational functions, more often than not it remains a tool or platform for service. Its role can be ‘transformative’ to use today’s buzzword, but only in that it introduces a kind of potential, introducing a dynamic pressure on existing processes and pedagogy to adapt3.
Perhaps the distinction comes down not to a question of engagement or the mechanics of business processes, but to one of risk. An engaged CISO directly participates in organizational policy, both big and little ‘p’ policy, and as a manager and expert on risk far outside the scope of technology. Yet this is precisely the challenge: while ‘risk management’ may be a unit within an organization, as a function it permeates every aspect of that organization’s mission. Recruiting students or customers is about managing risk; managing procurement and contracts for services is largely a liability and thus risk exercise; compliance offices manage the risk of non-compliance; teaching, product development, research, they all involve walking the fine line between taking and avoiding undue risk.
Clearly this means that CIOs also deal in risk. The risk of not being able to acquire new customers, of not enrolling students, of not processing grants in a timely fashion, or not being able to process paychecks. This can be massively impactful as can be seen at hospitals whose systems are crushed by ransomware. People die. But these are operational issues, not ethical. Where IT is transformative it is in matters of operational efficiency or helping an institution remain agile in its adoption of new educational or research tools. IT doesn’t transform pedagogy for example, it removes historical barriers to transformation by tearing down the old and introducing the new.
Looking more closely at that qualitative difference for cybersecurity that I mentioned earlier, we find not just policy concerns, but exposure to criminal and national security matters. But most importantly, I think there’s an intellectual style inherent in how cybersecurity frames risk that while not unique, is distinct from how operational risk is generally framed. For example, a cybersecurity practitioner will tackle the question of ‘what could go wrong’ (aka, what risks are we exposed to) with a broader range of threat actors than might otherwise be considered. My personal and somewhat conservative library of threat actors includes 28 actors running the gamut from hacktivists, to nation state actors, to insiders, with a concurrent range of motivations and capabilities4.
Unlike technology failures, cyber deals with issues that arise despite a system or business process operating as intended. A perfectly operating electronic medical record system can still be used to inappropriately look at a patient’s record by a senior enough doctor. An order for a product can have the delivery address changed to an order processor’s home address. A faculty or staff member can use their work email as their political campaign address. These questions of ‘appropriate use’ are work-a-day for the security office, and our involvement in them suggests a closer alignment with legal, policy, and compliance functions rather than IT.
With that we return to the question at hand: where in an organization should cybersecurity, or more broadly information assurance live? When I was younger I tended to argue that it may not matter that much, provided the CISO has open access to the most senior leadership and a constructive relationship with their own management. I’ve worked for CIOs that insisted on attending and usurping my meetings with senior leadership and others who simply said “say hi to the Provost from me”. Perhaps that was simply my own way of settling for the circumstances I found myself in. However accepting this is to embrace the personality driven peculiarity of the status quo and one of our goals should be to minimize the dependence on idiosyncratic behavior.
It might be helpful to think through what we’d want from any perch in the organization.
Broad visibility (information access): it’d be nice to reduce the opacity of the organization, allowing one to see a variety of activities without having them brought to you. Of course this quickly becomes a scaling problem.
Opportunity to inform policy (shape rules and guidelines): most successful CISOs do get a chance to comment on proposed policies or policy changes, but often only of limited scope and only once they’re in the revision phase. And despite my insistence on the breadth of information assurance, you probably don’t have much to contribute to every policy. You may not really need to comment on the question of permitting beer sales at the stadium. Nevertheless even a non-IT issue such as NCAA compliance does have a cyber dimension.
Opportunity to identify new and un or under addressed risk (uncover threats): in one of my positions I had the chance to review every department’s budget proposal for the coming year. This surfaced a large number of unidentified or under resourced cyber-related risks. If we fold research activities into this, naturally the number of issues explodes, and again we hit a scaling problem.
Participation in resource debates (advocate for funding): most discussions of budgets are a zero sum game. But the breadth of scope of cyber suggests that ‘game’ should be at a higher level than the IT budget. Making the case for new or continued investment in cyber should not be intermediated by IT. The stakeholders (and thus potential partners) for cyber cut across the board: for example, emergency management, compliance, export control, and research affairs. I once received a call from the Chancellor’s office that I was being given a new position - it turns out the Chief of Police went and requested it since my office supported the police. This was a valuable lesson for me early in my career.
As you can imagine, it’s possible to address most of these from almost anywhere on an org chart. It’s a question of integrating yourself into established process lifecycles. For example policy development or research grant review each have established workflows and ensuring cybersecurity is included during them effectively addresses one or two of the goals listed above. But without these being part of your role description, or executive support, it’s really an uphill battle and needs to be refought when unit leadership changes.
When I speak to my peers the one constant refrain I hear is the belief that without senior enough status, essentially reporting to the top of the org chart, it is impossible to argue for the resources needed. But if you look at the org chart you’ll see any number of major cost centers that don’t report directly to the top. At one institution I was at, the person controlling student housing had a $250 million-dollar budget and she was 3 levels down from the top. Several schools have put tens of millions of dollars into cyber initiatives with CISOs under IT. This leads me to believe that the actual status and success one has at an institution is only loosely coupled to your place on the org chart, but is tightly coupled to the priority or importance the institution views your function5.
This may make it sound like I’m arguing for keeping CISOs and cybersecurity within the IT department, but I’m not. As I discussed above, the scope of cybersecurity and IT are qualitatively distinct. I’m merely pointing out that if you’re creative, patient, and perhaps a bit humble, and have the right management above you, success is quite possible almost from anywhere on the org chart. Be that as it may, the current status quo represents a drag on the effectiveness of cybersecurity. Participation in those organizational workflows has to be fought for; visibility into non-IT activities won’t happen broadly or quickly, but by diffusion as a result of some sort of incident. Unrecognized risks can’t be addressed until they materialize. And of course, every dollar wrestled away from IT to cybersecurity erodes the incentive structure for the CIO (i.e., better and more visible services equals success; better cybersecurity equals invisibility). Ultimately keeping cybersecurity under IT results in a less resilient and more vulnerable organization.
My own inclination at the moment is to elevate the non-operational aspects of the CISO, as I’ve described above, and worry less about where security operations sits. I can imagine forming a new unit that addresses information assurance policy, strategy, and procedures under something like a Chief Digital Risk Officer (CDRO), leaving the bread and butter of network and system hardening and monitoring under a director of security operations, perhaps homed in IT. Such a position should be at a Presidents’ or CEOs’ cabinet level with formal couplings to legal, compliance, administration, and research affairs. I would imagine that large organizations and systems might have ISOs (or if necessary for recruiting) CISOs for major divisions or campuses. I’ve seen some organizations and schools establishing a CDRO and it would be an interesting study to explore and analyze how this model is working out in practice6.
As we think about this role, it’s important to note that CISOs and CIOs aren’t necessarily SMEs in the deep details of their field. But rather they are organizational operators - people who don’t necessarily wrestle with the messy plumbing of an issue, instead their success is contingent on how well they navigate the organizational barriers to doing something. This means competing for resources and funding as well as finding the right leverage to push the organizational boulder uphill. They are soldiers in the fight against organizational inertia. I’m not sure if this observation is perceptive or deeply cynical.
I wonder though, if our resistance to embracing this (and thus essentially ensuring that CISOs are ‘really good engineers who got promoted’) is part of why CISOs struggle to break into the C-Suite. While exceptions exist, and opportunities for training expand, how we speak is part of why CISOs in higher ed, unlike the private sector, are buried under CIOs and IT, and are not C-Suite. We don’t speak C-Suite. Humans describe the world through language, and, as always, we need sharp words in order to articulate our ideas clearly. Too often we speak to the organization in words that are sharp to us, but fuzzy or obtuse to outsiders.
It’s a long standing question for management: just how much subject matter expertise a manager needs to be effective. There’s some fascinating work in mathematics that maps to this question, specifically the issue is ‘what’s lost when mathematicians outsource elements of a proof to an AI’. While some in the field see it as a wonderful way to free mathematicians from the drudgery of endlessly proving lemmas, others believe something is lost when the mathematician doesn’t have the deep understanding that comes from this same drudgery. This reminds me of early pushback against higher forms of programming languages vs the machine level view assembly code provided7.
For us the question is, how much operational expertise does the digital risk officer need? Will naïve or poor strategic decisions be made without an understanding of cybersecurity operations? Or will the opportunity costs of spending the early part of one’s career studying firewalls take away from a deeper understanding of organizational risk and risk dynamics? Personally I’ve always been inclined towards the idea that more technical expertise benefits technical management. On the other hand, after decades in management, my belief in my own control of technical issues far exceeds the reality. Not having a crisp answer, I’ll leave this as a puzzle for the reader.
Of course, let’s be honest: executives are often put in place less because of their subject matter or management expertise, but for reasons of collegiality or familiarity. Hiring committees and boards are also notoriously conservative, a failed CIO, for example, is easier to hire than a first time CIO. You can probably change that to CXX and it’s just as true.
Information assurance is an umbrella term encompassing several distinct areas of expertise, including cybersecurity, privacy, data protection and curation, risk management, and resilience.
I feel compelled to acknowledge that the current angst over large language models may alter this equation. Of course the panic is less on the IT side, than it is on the creator side.
I was introduced to the Threat Actor Risk Assessment model by the terrific Matthew Rosenquist who you can follow here on substack.
Further that we as a community are rather poor at making the business case for investments in cyber. Working against us is the well known observation that the more successful cybersecurity operations are, the less visible they are.
I don’t want to get hung up on the title. ‘Chief’ could easily be some form of vice president. ‘Digital’ I used because it’s becoming more common and distinguishes it from how risk management is currently framed, as either hazards insurance focused or emergency management.
Quanta just published a great introduction to this issue in mathematics at https://www.quantamagazine.org/mathematical-beauty-truth-and-proof-in-the-age-of-ai-20250430/. For a meatier discussion, the following has a lot that even a non-mathematician can glean that’s relevant https://www.ams.org/journals/bull/2022-59-01/S0273-0979-2021-01726-5/viewer.
Quite possible, the CIO should be looked at as an Information manager rather than a Technology manager. In this heirarchy, Information Technology (CTO) and Information Security (CISO) would be separate but coordinating functions within the broader Information organization.