Security

When CISOs Are Independent of CIOs, Higher Ed Institutions Benefit

Reporting relationships between CIOs and CISOs can help — or compromise — cybersecurity.

Donald J. Welch is the interim vice president and CIO at Penn State University.

In my experience, about half of the CISOs in commercial companies report to someone other than the CIO. In higher education, by contrast, that’s true of only about 18 percent of CISOs, according to EDUCAUSE.

In my view, having CISOs report to CIOs limits the effectiveness of security programs, so colleges should change this reporting relationship sooner rather than later.

Independent CISOs Have a Seat at the Table with Senior Leaders

First, the CISO’s role demands a separation of duties, without which the CIO can get caught in a conflict. Second, information security is an institutional risk, not only an IT risk. Third, a CISO reporting outside the CIO has more visibility to senior leadership.

A growing number of laws and regulators are strongly suggesting, if not demanding, that CISOs not report to CIOs.

Finally, in a university’s decentralized environment, it is easier to create a single cybersecurity program outside of central IT.

An exceptional CIO can overcome these obstacles, but it is unrealistic to depend on exceptional leadership.

CIOs deliver IT services, and security controls don’t speed up or simplify IT operations.

Members of the security team are less likely to feel pressure to suppress bad news when their reporting chain doesn’t run through the CIO, whose team is likely to be blamed. Even when everyone acts appropriately, a separate reporting line removes any doubt.

Most leaders understand that cybersecurity is an institutional risk, much like issues related to Title IX, research misconduct or labor.

Direct relationships with deans and other campus leaders are critical for an effective cybersecurity program."

Donald Welch interim vice president and CIO, Penn State University.

The resourcing of cybersecurity must be weighed against all the other risks the institution faces, not limited to IT risks.

The CIO shouldn’t have to balance cyber risk against IT investments; it is the leadership of the institution that must address cyber risk.

Direct relationships with deans and other campus leaders are critical for an effective cybersecurity program.

Unfortunately, some university leaders may not make time for a CISO when they perceive cybersecurity to be an IT function. The CISO’s presence in meetings, alongside other senior staff, helps to establish relationships and understanding.

Boards are encouraged or required to consider cybersecurity, but in all the situations I’ve observed, a subordinate CISO must work through the CIO rather than being a regular participant and an independent voice at board meetings.

The European Union’s General Data Protection Regulation calls for a privacy officer that reports to the senior level of management. Many of us expect to see GDPR-like regulations spreading.

In higher education, especially at research universities, IT is highly decentralized. Distributed IT staffers usually do not report to the CIO and, in some cases, can be quite independent of the CIO.

Security scales and multiple independent security programs are a recipe for disaster. When security is not associated with central IT, it can be politically easier to create one cybersecurity program.

Strong Leadership and Credibility Keep the Security Mission on Track

There are disadvantages to a CISO not being part of the CIO’s team. Central IT is the largest IT organization and manages the highest-risk information. Being part of the IT leadership team helps all leaders understand each other’s problems and collaborate better.

The security team relies on central IT to deliver most security projects and usually supports security tools.

A CISO that does not report to the CIO will may report to someone who understands little about cybersecurity. The CIO won’t be covering for them and might even be an antagonist. Therefore, the CISO must be a credible senior leader.

There is no reporting structure that good leadership can’t overcome. Conversely, there is no reporting structure that will fix bad leadership. In higher education, we have developing leaders in both CIO and CISO roles.

With the CISO not reporting to the CIO, we can bolster those developing leaders and make the mission easier for experienced CIOs and CISOs. The relationship must be a strong partnership — one built on equal footing.

metamorworks/Getty Images