Subscribe: Comments on: Should The CISO Report To Someone Outside IT?
http://www.liquidmatrix.org/blog/2007/09/18/should-the-ciso-report-to-someone-outside-it/feed/
Added By: Feedage Forager Feedage Grade A rated
Language: English
Tags:
cio  ciso report  ciso  dave lewis  dave  don  good  information  managing information  report someone  reporting  security  someone  time  â  
Rate this Feed
Rate this feedRate this feedRate this feedRate this feedRate this feed
Rate this feed 1 starRate this feed 2 starRate this feed 3 starRate this feed 4 starRate this feed 5 star

Comments (0)

Feed Details and Statistics Feed Statistics
Preview: Comments on: Should The CISO Report To Someone Outside IT?

Comments on: Should The CISO Report To Someone Outside IT?



Bringing Fire To The Village: Your Source For Computer, Network & Information Security News



Last Build Date: Wed, 15 Feb 2017 17:00:25 +0000

 



By: Rationalists, Risk, And (Yawn) Asymmetry | RiskAnalys.is

Tue, 02 Oct 2007 13:02:03 +0000

[...] First, there is “Security Staff as Ultimate Insurance“.   Had the honor of sitting down and having some Walleye with a gentleman that runs the IRM program for one of the nation’s larger banks yesterday.  Very interesting conversation on many levels, but one of the topics we breached was “Where does the CISO’s office fit”.  I’ve had a strong post on the subj. in draft form now for about a month or so.  I still aim to post my analysis on the subj., but in the meantime do read Richard’s blog and this one from Liquidmatrix as well Should The “CISO Report To Someone Outside IT?” [...]



By: shrdlu

Thu, 20 Sep 2007 11:08:29 +0000

myrcurial, excellent point. No, our "I" that isn't "T" always tends to fall through the cracks -- as though it were either too obvious to mention or it doesn't matter, because everyone knows (or should know) how to secure paper. What few issues come up get shuttled over to the Legal department. Hey, and you don't have to have an already dysfunctional IT relationship to be feared and loathed as an ISO in your own right. Any time I ask to talk to someone, I have to add immediately, "Don't worry, you're not in trouble." Whenever someone from security, audit, HR or legal shows up at your door, you know it's probably not going to be a good day.



By: myrcurial

Wed, 19 Sep 2007 15:26:14 +0000

It's almost like he knows me and knows how to get me to pull my head out of the maw of doom long enough to type a little. You're both right. There. Where I'm at now is that I've done all I can for the IT group and I need to have influence with the lines of business. The LOBs however, aren't fans of the IT group (long history of negative working relationships) and it would be very helpful to me to be in a different reporting relationship in order to make that happen. At the same time, were I not part of IT, I could not have implemented the level of change that I have over the past year. It becomes very dependent on whether your CIO is *truly* a CIO or whether (s)he's a CITO with the wrong title. And are you a CISO or a CITSO? Are you managing Information or are you managing Information as it pertains solely to Technology? Do you take care of the analog world or just the digital world. And does your organization enforce a difference between those two worlds (as both Dave's and mine do)? I've got more thoughts on this, but not time now... I will though.



By: Dave Lewis

Wed, 19 Sep 2007 12:24:49 +0000

You my friend, have a good set up. Sadly, not all are quite so fortunate. So, when viewing the situation from your perspective I can fully appreciate your position. lucky...grumble...grumble :D



By: shrdlu

Wed, 19 Sep 2007 11:14:26 +0000

Thanks, Dave :-) I'm a former IT person myself, but to be honest, I still think of myself as one, even though I'm a CISO now. I don't find myself hampered at all in my current reporting structure (yes, to the CIO), because we both have the same senior executive approving our budget (the CFO) and I have direct access to the CFO whenever I think I need it. We're all on the same page that it's the business that makes the ultimate decisions on security risk, and we're all clear that I report on news both good and bad. It was the same situation in my last job too. Maybe a sample of two is too small, but I really don't see an *inherent* problem in staying within IT.



By: Dave Lewis

Wed, 19 Sep 2007 00:48:04 +0000

No problem at all. I welcome the comments. I had a read through your post and I have to respectfully disagree. I'm an IT guy that crossed over into Infosec (albeit with a gun to my head). I agree that arbitrary policies delivered "from the mount" aren't of much value. I have been looking at this from my own bias as I'm of two minds. Part IT, part security wonk. I don't see the CISO role as an "us versus them" by any means. That is about as counter productive as I can imagine. But, without out separation at least in a reporting line you are limited in your ability to successfully implement positive change. I enjoyed your post and thanks for the comment. cheers :)



By: shrdlu

Tue, 18 Sep 2007 22:56:28 +0000

Hey Dave, here I've got to disagree with you pretty strongly. My reasoning is here: http://layer8.itsecuritygeek.com/index/layer8/reporting-lines/ And I'm not saying that because I'm a CIO, neither :-)