"The advantages, though, are that when under the CIO, the money allocated for security becomes part of the CIO's pot. When other projects need more funding or resources to get things done, the money is pulled from security," Fitzgerald said.
Additionally, CISOs reporting to the CIO minimize external visibility and checks and balances. "Security officers report to the CIO, the CIO says we need to shift money, so they can end up with more of a conflict of interest in that relationship," Fitzgerald said.
Many of the arguments against the shift come down to an organization's maturity. "The other reason you still see organizations reporting into the CIO is that they are working on foundational security issues that require a heavy IT focus. Until they get to a certain maturity level, they aren’t making that shift," Fitzgerald said.
One advantage, though, is that CISOs gain some clout with senior management. "There’s a pathway that typically isn’t there with the CIO who has been fighting to get that seat at the table for years," said Fitzgerald.
Reporting outside of the CIO puts the CISO and the CIO on equal footing with each other and things get more visibility that way. "With the risk officer you have an automatic advocate around risk which moves the conversation outside of compliance and checking boxes," said Fitzgerald.
The shift is intended to bridge the gap between technology and the business. By reporting to the CRO, the CISO becomes a key player in broadening the conversation. By understanding how to communicate in the language of risk, security becomes a more paramount concern for the business, which will hopefully prove to protect critical assets.
Sign up for Computerworld eNewsletters.