One of the things that you need to do as a leader is to remind your employees that cybersecurity
is everybody’s responsibility. This is at the core of building a corporate culture
that values cybersecurity. Your cybersecurity programs, training, tools, and procedures
do not belong just to one individual or department; they are the responsibility of everybody,
including you!
Nevertheless, many organizations assign executives responsibilities for activities
that cut across multiple product and business lines. These executives are responsible for
policies that govern functional activities and provide oversight that makes sure the policies
are appropriately followed in execution by personnel across the organization. These
executives provide sponsorship and ownership of crosscutting activities. Financial,
security, and risk management are examples of these types of crosscutting activities.
Cybersecurity is another.
There is no single best practice organizational structure determined to optimize
cybersecurity in business. While many organizations align sponsorship of cybersecurity
programs under the chief information officer (CIO), we’ve seen others who place it
under the auspice of the chief information security officer (CISO), the chief security
officer (CSO), or the chief risk officer (CRO). We’ve even seen several companies place
it under the COO or the CFO. The type of business you run and the corporate culture of
your organization will guide your selection as to which officer is best suited to sponsor
the cybersecurity program in your business.
We recommend you consider aligning management of your cybersecurity programs
to your CIO with your CISO serving as a direct report. CIOs are responsible for the
information of the business. If they do their job correctly, they are thinking and acting
beyond the IT systems; they are focused on the process that creates, consumes, manages,
stores, and protects the information that is such a valuable part of your business. Too
many times, we have seen CIOs who become bogged down with the acquisition or
management of software and IT systems while losing sight of the fact that these are
complementary tasks supporting the management of information, which is truly the heart
of every CIO’s job. Your CIO should be responsible for managing the entire life cycle of
your business’s information, from creation to destruction, including its protection.