The resourcing of cybersecurity must be weighed against all the other risks the institution faces, not limited to IT risks.
The CIO shouldn’t have to balance cyber risk against IT investments; it is the leadership of the institution that must address cyber risk.
Direct relationships with deans and other campus leaders are critical for an effective cybersecurity program.
Unfortunately, some university leaders may not make time for a CISO when they perceive cybersecurity to be an IT function. The CISO’s presence in meetings, alongside other senior staff, helps to establish relationships and understanding.
Boards are encouraged or required to consider cybersecurity, but in all the situations I’ve observed, a subordinate CISO must work through the CIO rather than being a regular participant and an independent voice at board meetings.
The European Union’s General Data Protection Regulation calls for a privacy officer that reports to the senior level of management. Many of us expect to see GDPR-like regulations spreading.
In higher education, especially at research universities, IT is highly decentralized. Distributed IT staffers usually do not report to the CIO and, in some cases, can be quite independent of the CIO.
Security scales and multiple independent security programs are a recipe for disaster. When security is not associated with central IT, it can be politically easier to create one cybersecurity program.
Strong Leadership and Credibility Keep the Security Mission on Track
There are disadvantages to a CISO not being part of the CIO’s team. Central IT is the largest IT organization and manages the highest-risk information. Being part of the IT leadership team helps all leaders understand each other’s problems and collaborate better.
The security team relies on central IT to deliver most security projects and usually supports security tools.
A CISO that does not report to the CIO will may report to someone who understands little about cybersecurity. The CIO won’t be covering for them and might even be an antagonist. Therefore, the CISO must be a credible senior leader.
There is no reporting structure that good leadership can’t overcome. Conversely, there is no reporting structure that will fix bad leadership. In higher education, we have developing leaders in both CIO and CISO roles.
With the CISO not reporting to the CIO, we can bolster those developing leaders and make the mission easier for experienced CIOs and CISOs. The relationship must be a strong partnership — one built on equal footing.