Friday, September 28, 2018

GAO Report on Equifax Breach

The GAO Report on Equifax Breach is a good read and although I've read a number of articles, etc. on the subject, I wanted to see if there was anything new.  Most interesting and new to me was that prior to the breach Equifax didn't have a Chief Information Security Officer (CISO).  Footnote 29 outlines the evolution of their Information Security leadership and reporting structure.

"Prior to the 2017 data breach, the Chief Information Officer reported to the Chief
Executive Officer and the Chief Security Officer reported to the company's Chief Legal Officer. Following the breach, Equifax created the position of Chief Information Security Officer, who reports to the Chief Executive Officer."

Statistics of CISO reporting structures are all over the place, with “Global State of Information Security Survey, indicating 40 percent of CISOs, chief security officers (CSOs) or other equivalent information security executives report to CEOs, while 27 percent report to board directors, 24 percent report to a chief information officers (CIO).  In contrast the Ponemon Institute's “The Evolving Role of CISOs and Their Importance to the Business” found that 50 percent of CISOs report to the CIO. In addition, 9 percent report to the chief technology officer (CTO), 9 percent to the chief financial officer (CFO), 8 percent to the general counsel, 6 percent to the chief operating officer (COO) and 6 percent to the risk management leader. Only 4 percent indicated that they report to the CEO.

I've advocated for some time that in order to be effective at managing risks to an organization's business mission and objectives, executive leadership and CISOs need to have a functioning and direct relationship.  In the context of a reporting structure where the CISO reports to the CEO, it is a tremendous and overt demonstration of how important and foundational Information Security is to organizational success.  To be successful Information Security has to be seen not as a cost center, but as an integrated part of every product or service a company endeavors to sell or provide.

1 comment:

Note: Only a member of this blog may post a comment.