Why security must not report to IT

Last week, I participated in a recruiting activity as part of an event. The highlight was having lunch with one of my former managers whom I hadn't spoken with in a few years. He inquired about how satisfied I was at my current job. Internally, I felt defensive. I have crossed the 5-year mark, and in the industry, there is this unwritten pressure to justify why you are sticking around so long when the norm is to pivot every 3 years.

"We've reached a point where we're influencing decision-makers. Our CISO has a presence at the board and the ability to get budgets unlocked when needed", I replied.

I could have talked about cloud native technologies and generative AI, but my brain defaulted to organizational structure. Am I getting old?

Kidding aside, information security is about influencing people to do the right things. I discovered that security being independent of the information technology departments freed up space for top-down approaches.

Did you know that security has outgrown information technology? Let me demonstrate why having your security team report to IT leadership is a terrible idea.

Information technology and security have opposite incentives

In August 2022, I reported on the "Twitter whistleblower", Peitr Zatko. The social media's former chief of security painted a grim picture of the company, citing lax access controls and negligent computer configuration management. One of the most appalling comments is about the Chief Technology Officer's attempts to minimize the security flaws and incidents that Zatko would reveal to the board of directors.

Things got worse at Uber. In October 2022, I reported on how the former CISO was convicted of fraud for failing to alert regulators of a security breach. The Forbes article that covered the proceedings showed how the CISO was censored systematically by the CIO while reporting to the board.

Security cannot report to IT because both CIOs and CTOs want to show the board that "they got this". Think about it. Security's whole deal is to point out the shortcuts, the technical debt, and the skeletons in the closet. Imagine, as a CIO, showcasing your beautiful slide deck about the efficiency gains of your new customer experience management platform when the security perspective shows that everyone has admin rights and the public-facing website is filled with vulnerabilities.

And that's not the only source of conflict...

Security is not just a concern of technology professionals

Did you ever have to explain to an accountant why the TLS1.1 encryption protocol is insecure? I did, and it wasn't terrific. I also tried raising awareness about self-signed certificates. It went worse.

A well-managed security program assigns "asset owners" to critical information systems and data. Asset owners often inherit the duty because their business unit either generates the data or leverages the systems to drive business value. There is no notion of technology and know-how. And this is perfectly fine! An asset owner should only be concerned about resource allocation (i.e. how much money to spend to balance the business value and the risks).

On the flip side, I've also struggled to talk business with IT senior management. I tried to explain how the teams lacked the resources to build a coherent software development lifecycle process, which put the applications at risk of introducing vulnerabilities. The director showed me a clean security code scan as a response. This is not just a technology question!

Speaking of scanners...

Independent financing can push security forward

I already talked about "the security tax" at length in "Why is security so expensive?". Chief among the reasons is the difficulty of demonstrating that measures work.

Giving all the responsibility to a CIO or CTO to invest in security applications "because it's all tech" leads to having one person doing the risk and benefits balance by themselves.

On the other hand, a CISO who is an equal on the leadership totem can provide a valuable counter-balance. Here's an example. Recently, after witnessing an attack, our security team pressed the panic button. Security leadership was able to get an emergency fund to address the cause. The new modules disrupted the IT team's plans overnight. Would such a swift investment have happened with IT leadership? I doubt it.

Let's remember that security incidents can cause enduring harm to individuals. A CISO needs a certain degree of freedom and independence to mobilize quickly.

Did you witness similar struggles as I've described? Let us know in the comments, or reply to this email to share your stories!