Do You Really Need a CISO to Have Security?

Sunday, June 17, 2012

Rafal Los


There was a lot of bustle about the LinkedIn data breach, and specifically about the lack of the CISO and CIO at the LinkedIn organization - which made me think... does an enterprise require a CISO, or even a CIO?

A story on the publication BankInfoSecurity makes it clear with a quote from a LinkedIn spokesperson - "We don't currently have executives with those specific titles, but David Henke, senior vice president, operations, oversees the functions". 

The question becomes, does a company need someone with a CIO or a CISO title to have a well run IT organization and good security?

On the one hand, it's important to have information leadership in a singular role, separate from the role responsible from the security of the organization.  On the other hand, if what your organization is depending on is a title and now a holistic cultural thinking, then you'll always have security as a bolt-on anyway.

Surely there are many types of organizations.  Surely some need the rigor of having a formal information security officer (CISO) role defined and responsible for the security-related decisions of the organization. 

In fact, I would argue that most organizations are of this type... and that when security isn't explicitly called out it can easily be relegated to the back corners of the operations functions or the architecture organization or worse. 

When security isn't explicitly embodied in a warm body it's easy to push it out of your mind, I can certainly attest to that.  Someone has to make the tough choices, push policy and be unpopular, right? 

Someone has to be the fall-guy or fall-gal when things go wrong... and someone has to lobby for the protection of the organization.  At least... if good security isn't part of the culture.

Are we then ready to accept that it's not OK for an organization to leave the role of the CISO out?  I'm not sure I'm ready to go there yet.

What happens when an organization has no formal CISO?  Can security still survive?  Is a breach imminent like with LinkedIn?  I don't think so, the situation in IT can't be that dire.  Can it?

I don't buy it, I just don't buy all the cynicism.  Not salting hashes is a mistake many organizations make... if you're willing to challenge that look inward first.  I don't believe that the culture at LinkedIn is so poor that it requires the role of a CISO to insert security into the IT and business consciousness. 

In fact, I don't believe that the culture in any organization I have known is so bad that defining a CISO (or not) will make a difference one way or another.  The security of an organization just cannot come down to 4 letters - CISO.

I've been having a ton of conversations lately about how more often than not these days a CISO is set up to fail based on those 4 letters... so when he or she doesn't exist does it really matter if the organization simply doesn't care about security?

Are you can probably see - I'm torn.  I'm clearly not a CISO cheerleader simply to have a role (we call that the Chief Fallguy), but if this is what drives better security (or any security) then you need to have the role. 

Given that I don't know enough about LinkedIn's structure or organization (or at least not enough that I can write about) I don't think I'll be joining the outcry against their not having a CISO.

In the analysis of it, every organization needs to have someone responsible for the technology-based risk or "security" of the organization.  Whether that's the Technology Manager, the CISO, or the "IT guy"... I just want to see better security, more resiliency, and less technical risk. 

Isn't that what we all want?

Cross-posted from Following the White Rabbit

Possibly Related Articles:
Enterprise Security
Information Security
breaches Enterprise Security Best Practices Leadership CISO Executives LinkedIn IT Security
Post Rating I Like this!
Hani Banayoti A very important point you make Rafal. I certainly have the opinion that CISO role is not necessary and most cases I have seen throughout my career in security consulting a CISO almost always had little influence in directing or enforcing the security practices in the business. A CISO's role seems to be mostly for finding someone to blame when things go wrong. It gives top executive management comfort to know there is someone to blame/fire when things go wrong.
Rafal Los Hani - that's correct, the CISO is often doomed to fail from the start, and the 'fall guy' when things go poorly. It's not always like that, but consider that the CISO is rarely an executive with the typical executive powers ... what does that say? I think the CISO should be a "Security Director" at very most, reporting to someone *not* in the IT management chain... just my $0.02 and an opinion.

Thanks for the comment, I welcome more discussion on Twitter at @Wh1t3Rabbit.
Ian Tibble Well, do we need a CISO? Is this a big issue or something complex? It's like..line reporting (and stuff).
When someone up in the clouds has a question about risk, they dont' want 100s of voices answering, they want one...the one voice that rules over all others. Call it what you like really. CISO or...whatever. Certain things need to be done in security by folk with certain skill sets, and whether they sit in ops, or infosec - to me, the skills are more important than the name of the department or position.
Should a CISO report to IT or someone outside IT - heaven forbid a CEO? Many don't agree but security needs to be heavily linked to IT...the clue is in the name, in that the word "information" is in there and in security we're supposed to be dealing with risks to information. If I was a CEO, I would prefer not to hear territorial disputes and the rumblings of ego. I would prefer to listen to one voice on information risk...and there's no reason why that can't be a CIO. CISOs have to get on well with CIOs anyway, and if they are all on the same page, it doesn't matter who reports to the board or CEO. A CISO _and_ a CIO can report to the board. But if I was a CEO who believes IT and security are connected, I would go with the CIO because they are in a position to see a wider picture.

CISOs can be fired or blamed for incidents if there is an external driver for CEOs to name and shame someone, and CEOs lack the courage to take on the responsibility themselves. If there is no external driver, and CISOs are still blamed - this is because of a lack of trust between CEO and CISO. I suspect this is a very common scenario.

Anyway who would be a CISO? Products which produce results you can't trust and analysts who don't analyse! How much would confidence would I have in my reporting?

Marc Quibell If your company is big enough to enough for a CISO then yes. A CISO can be an advocate for information security. As long as they are effective, and not just there for the title.
Don Jackson Well... I would prefer that "the company" have someone who is officially responsible for security, his title can be goat herder for all I care as long as he understands how to operate in that backstabbing world of corporate politics and the most effective CISO's have all been under the CFO or equivalent.

I think parsing this requirement \responsibility as an "oh by the way..." to someone in IT is a very dangerous thing, because most (not all) IT focused people really do not get the concept of what security is, they only see impediments to what they are responsible for, which is making systems work as fast and cheap as possible... security slows things down and ultimately costs money. We had an admin\engineer spend time in my group because he wanted to move into security, but he couldn't change his mindset from being that IT guy that alway complaining about security being stupid and dumb to understanding why these things are relevant and necessary... and that for the most part we're just looking at everything and report or make recommendations on what we see for someone else to make a decision based on risk, policy or whatever the magic-8-ball tells them to do... so we sent him back.

But to answer the question... I do think a senior security professional is needed.
Maureen Robinson In a joint research study on Application Security Maturity that you download from here:, 28% of respondents felt that the CISO should be primarily responsible for ensuring security in the application development life cycle in their organization. Find out more about the organizations that need a CISO in order to maintain proper security and how they can be successful in this blog article
The views expressed in this post are the opinions of the Infosec Island member that posted this content. Infosec Island is not responsible for the content or messaging of this post.

Unauthorized reproduction of this article (in part or in whole) is prohibited without the express written permission of Infosec Island and the Infosec Island member that posted this content--this includes using our RSS feed for any purpose other than personal use.