The CISO’s reporting structure is broken
How can a cybersecurity leader protect government assets from adversaries when they lack the power to act in the best interests of their agency?
This issue is increasingly important in today’s environment. In a recent Government Accountability Office report, five out of 12 federal agencies said they faced “an increase in certain types of cyber attacks” when working remotely. Supporting a remote workforce is here to stay. To protect against the increasingly hostile threat landscape, it is up to agency leaders to seek opportunities to improve operational security effectiveness and organizational improvement.
The CISO’s reporting structure varies slightly from one agency to another. Under the Federal Information Security Management Act (FISMA), information security functions, including cybersecurity, are the responsibility of the CIO agency. The CIO reports directly to the Chief Operating Officer (COO) – or equivalent – who reports to the head of the agency.
Responsibilities for information security are then delegated to the Chief Information Security Officer (CISO), meaning that the CIO has the ultimate responsibility for the two IT functions and security. It is becoming overwhelming and unbearable.
Almost all cybersecurity priorities are driven by federal mandates and requirements. Executive decrees, Office of Management and Budget mandates, and Cybersecurity and Infrastructure Security Agency guidelines are just a few examples. The commitment to manage cyber risk is a major concern, but is often consolidated with IT priorities. It creates a conflict – does IT or security come first?
Some agencies have developed a good and healthy balance between IT operations and security operations teams. “Healthy” in this case means that these agencies are more effective when they are setting up new services, adopting new modernization activities, or responding to advanced threats. But in most agencies, the relationship between IT and security is unhealthy, which means getting everything done becomes a complex and difficult situation that prevents an agency from moving forward.
When there is a cyber event or initiative, for example, the CIO will get advice from the CISO and the head of the IT organization. It is a problem. IT and security will always have different perspectives because they have different experience, backgrounds and training. The IT department does not work from the same information, so it does not fully understand cyber risk as an CISO would (information on cyberthreats, exposure to vulnerabilities, cyber risks, etc.). And you certainly can’t expect them to have the same perspective on cyber vulnerabilities or risk management.
When it comes to a security issue, the RSSI should be the primary voice. They should be considered a peer of the CIO and report directly to the agency manager. This will limit conflicts and improve the flow of information within the agencies.
Identify cyber challenges
Only 49% of security officials said their security plans were the root cause of problems like ransomware, and only 25% said they had advice in the event of a hacking incident. These weaknesses in the cybersecurity structure are primarily the responsibility of the CISO.
Although the CISO is responsible for the agency’s security program, he does not have the authority and autonomy to implement a successful program and effectively manage risk. For example, CISOs should advise the C-suite on security protocols, such as zero trust infrastructure, which provides environment independent protection and secures applications and services even as they communicate across environments. network. Without this authority, strategic cybersecurity priorities become diminished or ineffective, increasing risks for the agency.
Attackers only need one path through the agency’s cyber defenses to gain a foothold inside the perimeter. While the CISO is responsible for identifying vulnerabilities and configuration issues, a lack of authority or the ability to effectively communicate risks to the business impacts the speed and effectiveness of a business control. mitigation or proposed resolution. Additionally, if the CISO recommends that a system be taken offline to mitigate the potential risk, it could impact the business / mission. .
This puts the CIO in the middle. An CIO may not be willing to impact the business / mission by taking the system offline without the involvement of the COO, resulting in delays in mitigating unpatched vulnerabilities that could prove to be devastating in the future. Remember that it only takes one vulnerability, one misconfiguration, one anchor point, or one pathway which, if not mitigated, can lead to a major breach. . Speed and decisive action based on risk tolerance can be the determining factor in whether you become the next headline.
The Zero Trust architecture helps agencies reduce their attack surface and reduce the likelihood of an implementation turning into a major breach. While no security is perfect and data breaches are never eliminated, the path to a better cybersecurity posture becomes clearer. It is time for agencies to settle the CISO reporting conflict once and for all.
Despite a recent influx of new cybersecurity laws, funding, and improved security infrastructure like Zero Trust, the current reporting structure is one of the major cyber vulnerabilities for agencies today. Therefore, ensuring that agencies reap the benefits of effective collaboration and improved CISO authority are essential to ensure that the right security programs are prioritized to support critical agency objectives.
We have come to a point where cybersecurity risk means risk to the agency and the potential impact on the mission. The CISO needs an unfiltered path to communicate and effectively manage and mitigate agency cyber risks. Agency heads have a legislative mandate to maintain and improve the security of their agency’s information and information systems, but we will continue to see slow progress until the authority of the CISO is elevated.
Danny Connelly is Zscaler’s CISO. Previously, he was Associate IT Director at the Centers for Disease Control and Prevention.