CISOs should not report to CIOs, and they need more direct lines of communications with CFOs, says Chris Pierson, a cybersecurity attorney who's CISO at invoicing and payments provider Viewpost.
Pierson contends that far too many organizations in the public and private sectors continue to miss opportunities to enhance their cybersecurity stature because they keep CISOs under the management of CIOs.
"The chief information officer is very much aligned with operational efficiency, performance and uptime ... not necessarily the confidentiality, i.e., the security, of that data," Pierson says during this interview with Information Security Media Group. "The security folks are much more aligned with ensuring that they protect and preserve the brand and goodwill of the company and the data that they have and hold."
That's why having CISOs report to CIOs is concerning, he says. "We keep heading down this path of the lack of recognition of two separate foundational elements, two separate partnerships, two separate collaborations within a company," Pierson says. "The security budget and the security footing are very much separate and distinct from the availability footing that most CIOs are on.
"What is needed is a separate risk voice, a separate security voice," Pierson says. "The need for a separate risk-based ... but very business-minded, security function is absolutely there, and it's separate and distinct from a CIO."
Once more CISOs report to the CEO or another executive, rather than the CIO, Pierson says, "there will be increased collaboration with the chief financial officer and the other financial folks at the company. What you'll have are ... lawyers, technology professionals, security professionals and finance professionals all at the same table and on equal footing with equal budget to support the needs that they have."
Cybersecurity is a business issue, which is why CFOs need to be more involved, he stresses. CFOs know they need to spend more on cyber risk management, but many don't know where to focus their efforts because they don't understand the risks from a technical level, Pierson says.
During this interview (see link below photo), Pierson also discusses:
- Why cybersecurity is a growing concern for CFOs;
- How cybercrime and breaches have put a spotlight on CSOs and CISOs in the last year; and
- Why cybersecurity has quickly risen to become a top business concern, rather than merely a technology issue.
In addition to serving as executive vice president, general counsel and CSO for Viewpost, Pierson also serves on the Department of Homeland Security's Data Privacy and Integrity Advisory Committee and Cybersecurity Subcommittee. Before joining Viewpost, Pierson served as the first chief privacy officer for the Royal Bank of Scotland's U.S. banking operations, where he oversaw RBS's privacy and data protection program. Additionally, Pierson formerly served as a corporate attorney at the law firm Lewis and Roca, where he established the firm's cybersecurity practice, representing companies on security and data breach matters.