There is a Conflict of Interest in CISO Reporting to CIO

The CISO reporting structure has seen many debates around it, and continues to be a topic often brought up for discussion in forums. But, a unified answer is still elusive. Among the many assertions, there is a strong lobby that is now emerging against the CISO reporting to the CIO, demanding that the CISO position be directly answerable to the CEO/board.

KK Chaudhary, Executive Director – Group Head IT & IS at Lanco Group is of the firm belief that the CISO role be kept independent of the CIO function. His rational behind this thinking is very simple – that of the conflict of interest behind the CISO reporting to the CIO.

He asserts that in most organizations even today the CISOs still report to the CIOs, but also believes that many organizations have now started noticing that there is a conflict of interest in this. “This is because what generally CISOs do most of the time is to find out the IT vulnerabilities, meaning thereby, that they are telling the CIO that their system is vulnerable. So, in a way, you are telling your own boss. Hence, there are a lot many chances of a sort of curtain and suppression of risk,” he explains.

According to Chaudhary, IT security should be completely disassociated from IT and should be made part of business so that it can give an independent and specialized view of the IT vulnerabilities to the CIO function. Then only an impartial security treatment can be done at the top level. Whichever organizations are realizing that have started making changes in their reporting structure, making the CISO report to the risk officer or the CEO.

“While earlier it was totally aligned with the CIO, now it is slowly being removed from the CIO, and rightly so, and going towards the business or the risk committee,” adds Chaudhary.

With the CISO function now getting separated from the CIO and mostly getting aligned to the business means that the CISO’s role also needs to undergo marked changes. This requires the CISOs to not only have to understand IT but to also have an understanding of business. This requires a complete evolution in the emergence as well as the understanding of the CISO function. “If they understand business, then only will they be in a position to understand what risks that this business is going to have with the kind of IT it has. Therefore, developing their role more towards the business,” says Chaudhary.

Categories: Leadership

About Author

Write a Comment

Your e-mail address will not be published.
Required fields are marked*


Recent Comments