Nothing starts an argument amongst a bunch of cyber nerds like this question.
There is no single correct answer. It depends on several factors and we all have egos that affect our interpretation of those factors. I have a couple of basic questions that I feel help frame a personal analysis of the situation.
- Are you properly resourced? Meaning, do you have the people, budget, tools and access that you need to complete the job?
- Are you appropriately empowered to do the job? Meaning, does your boss or your company provide you the platform and voice to execute?
CISOs are human, so we often let fog and friction get in the way of our assessment. Removing emotion from our process is tough. Ego gets in the way. Emotion and a mob mentality can creep in. Jealousy can creep in. I hope my thoughts help you to think through your process on this and give you the freedom to find the answer that works for you in the job you have today. Just remember that the variables can change at any time and the resulting analysis changes. New job, new boss, new threat, new law or regulation, and budget pressures, etc.
Resourcing: The easy part of this is to think of budget and headcount. That is definitely important. But I would caution against getting wrapped up into a competition. The top ten US banks spend a crazy amount of money on cyber and seem to have unlimited hiring authority. Perhaps that works for them, but spending at the same rate, however you measure it, is not the panacea answer to your issues. Use the various benchmarks to get a sense of where you are at, but be careful about using those benchmarks to try to get more budget or increase headcount.
If you approach your CFO and say the Gartner benchmark shows how your budget is half of what other similar companies are spending, you must:
1.) Have a detailed plan for what you need.
2.) Be prepared to execute and report progress.
Do not be the dog that just caught the car but does not have a plan for what is next. If I suddenly had twice the resources, I doubt I would successfully execute in the first or second year. It takes time to build out a team and assess new partners.
For me, resourcing is also about the agility to move those resources around when needed. Autonomy to take your allocation of funds and do what you deem necessary can be more important than the top line number. If you get $100M but cannot execute on it because of processes or constraints in your company, then you are not really resourced. If you cannot hire your headcount efficiently and you know it is not on your team, then you are not really resourced. Note that this sounds a lot like empowerment, that should not be surprising.
As CISOs, we must be good stewards of the checkbook. I personally know CISOs with larger budgets and higher headcount. Great. I am jealous. But can they take the required actions with their business to truly affect change and behavior? Or can they only build an Audit-deep program that regulators would love?
Empowerment: Which leads to Empowerment. I put more weight here and think this is the part that drives more job satisfaction (or dissatisfaction) than anything else.
Your boss needs to help you affect change. Can they do that? Will they do that? They do not have to be an expert in your art, but a working knowledge is a plus. If your boss has a great business mind and strong relationship with the business side of your company, that’s even better.
Your boss needs to give you leeway to tell your truth. Don’t get in front of your headlights here, though. You are accountable for your truth, so if you go crazy, you will not last. Still, if you work for the CIO and they consistently tamp down the message to camouflage the danger or risk, then you are in a tough spot. Equally concerning is if you work for someone that devalues cyber, then you might be in the wrong spot. You should not become a hunting ground for budget or headcount cuts while your boss protects their pet team.
Be accountable for your programs and results. AND make it clear where you are accountable but not necessarily responsible for the various actions. This is a critical distinction. My boss once asked me who was accountable for our vulnerability management effort. I quickly answered that I was. And I added that I am responsible for patching on only a small portion of the IT estate. In many ways, my accountability is like keeping score for the other teams that own the responsibility.
Your boss needs to have enough “resource” to protect your team as well. If you report to Legal and your budget is 5 times the size as the rest of Legal, then you are not well protected. They will always be tempted to re-route resources to pay for some other concern.
Your boss needs to be able to afford you time and attention. If you think you do not need their leadership or mentoring, then you may have an ego problem. If they cannot give you any time, then you are out on a limb. I love the crowd that says cyber MUST work for the CEO. That may be the exact right answer for many. But can that CEO give you enough time to be an effective boss? Or is that a paper relationship only? I had a CEO in my past who had 29 direct reports, all SVP and EVP leaders. There is almost no way that they all had equal access. Most days, 4-6 had real and sustained access. The rest filtered their needs through that smaller group.
You need to assess the best place for you and your team “to live” to affect change. I find working for our CIO gives me direct access to the IT teams, where most of my work is. But in any given company, I could work for Legal or the CFO and still have that access. Or I could be viewed as an outsider by IT and not get enough access. Take an inventory of your situation and what needs to happen in your company. Perhaps you have a younger company with less tech debt and can work well outside IT. Or maybe you need to be behind the curtain slogging through the mud with IT. As with everything, it depends…
Reporting chain is an item that can and will evolve for all of us. I have more than one peer who recently added their Infrastructure teams to their remit. That would make working outside IT very challenging. Also, I have peers who own Physical Security and Enterprise Risk. That presents a different challenge, where reporting to the CIO might be impossible.
Think through these 2 basic questions about resources and empowerment, assess your own motivations and identify where your program is vs where you believe it needs to be. Then come up with your best answer and do not worry if others disagree. It is your answer to today. You are free to change it if the conditions change. But make sure you avoid some common pitfalls.
Ego: It sounds so cool to be a CEO direct report. But can your CEO give you the time and guidance? Don’t be trapped by the siren song of “I am a self-starter and do not need that guidance.” I do believe this is very industry-dependent, so it may be the best answer for your company. Just make sure it is the best answer for your company and not for your ambition.
High Tech companies, startups and cybersecurity companies feel like great fits for having the CISO report to the CEO.
Jealousy: Yeah, big banks have big budgets. Even when using a percentage metric, like Cyber FTE over total employee population or % of Cyber Budget vs IT Budget, your situation is unique. A few years ago, I was talking with a large bank CISO and they stated that their budget was unlimited. I do not even understand that statement and fear it can lead to waste and inefficiency. Ironically, some of my friends think my budget is “unlimited” because of the size of my company. I assure you it is not. But that is a relative measure.
Accolades: Related to ego, maybe the same thing. We often toil in obscurity and crave a little recognition. But if that is driving this kind of decision, then tread lightly. Plus, the spotlight brings attention, and not always the welcome kind. Brag too hard and you might create a target for security researchers, activists or hackers.
Back in 2010, there was a cyber consulting company named HB Gary. Their CEO publicly outed and shamed some Anonymous hackers, calling them script kiddies. They took offense and so thoroughly compromised the firm within 24 hours.
Comparables: I often remind my teams that it is easier to grade someone else’s homework than to come up with original material. Sometimes we have to be willing to “blaze a trail” and then absorb the critiques and improve the proposal. Org structure is no different. It is easy to read a study or copy a successful team and run with it. Just make sure you put a critical eye on it and relate it to your situation. What is good for the goose is not always good for the gander.
