CISO reporting to board of directors: Myth or for real?

There's much talk about how the Indian chief information security officer (CISO) now reports to board of directors. Has the Indian CISO's role changed?

The serious nature of security threats now forces Indian enterprises to treat information security as a strategic need — very different from the earlier operational approach. This drastically changes the information security head's profile. He is now making a slow rise to the top management bracket, instead of being a mundane information security supervisor.

The chief information security officer (CISO) designation is still a rarity — limited to industries like the banking, financial services and insurance (BFSI) vertical, telecom, and business process outsourcing (BPO). According to Vishal Salvi, the CISO of HDFC Bank, these industries with mature information security functions are already experiencing a shift, wherein CISOs have started to report outside IT.

According to Captain Felix Mohan, the CISO of Bharti Airtel Ltd., there is a growing global trend of CISOs reporting outside the IT function. On this front, Mohan refers to analyst firm Gartner's studies which estimate that 30% of CISOs report outside IT. CISO reporting structure in certain Indian organizations have been modified, such that the CISO reports to the board of directors or the CEO.

As an example, Salvi reports to HDFC Bank's executive director of risk, whereas Mohan reports to Bharti Airtel's information security steering committee (an apex security body comprising of functional directors and Airtel management board members). On the administrative reporting front, Mohan reports to the director of technology services and customer service (also a board member).

Can we assume that we will soon witness a trend of Indian CISOs reporting to the board of directors or CEOs? Most CISOs we spoke to believe that CISOs reporting directly to the board of directors is a rarity. "CISOs reporting to the organization's head of risk management is definitely a trend," says Sameer Ratolikar, the CISO of Bank of India, who follows this reporting pattern.

Although the information security function should be independent of IT, it should have very strong communication links with the technology team. Else there is a risk of being isolated.

Today, the risk function in many Indian organizations covers business as well as IT risks. This reporting pattern helps information security departments to derive more synergy and functional knowledge from the risk function, believes Salvi.

Whether it is risk or any other function, the trend of CISOs reporting outside IT is on the rise. Concerns about possible conflicts of interest between IT and information security departments are driving this trend. According to Mohan, if information security personnel report to the IT team, there may be a loss of segregation in terms of duties and control. "In such cases, the CISO will find it difficult to point out gaps in IT, which are tantamount to pointing out his reporting manager's faults. By making the CISO report outside IT, it's possible to avoid such situations."

Salvi highlights four aspects to be kept in mind, while deciding a CISO's reporting pattern:

(a) The CISO should be seen as a strategic role.

(b) He must be at a leadership level.

(c) The CISO should be independent of IT.

(d) He should report to a very senior person in the organization, who has strong hold within the organization.

When a CISO becomes independent of IT, he comes out of his shell. According to the CISO of a leading Indian BPO, this widens the CISO's ability to think about security from an organizational perspective than just IT. Giving his own example, Mohan explains, "My role involves activities across a 360 degree perspective of security, which encompasses information security (as contrasted with IT security, its subset), business continuity, compliance, safety and physical security."

Independence from IT also gives tremendous sponsorship to information security. "It gives us a bigger canvas to work, on as well as empowerment to bring about change. In case of conflict of interests, you are able to put forth your point of view more assertively, and your department gains more respect," says Salvi. In operational IT implementations, information security generally gets lesser priority than a rapid project rollout. "In such cases, the CISO's different reporting structure enables him to lay down a good process to closely view security," explains Ratolikar.

Does this mean that CISO's reporting has to be changed in order to empower him? Not necessarily. "Irrespective of the reporting pattern, if a CISO is expected to limit himself only to day-to-day operational tasks, instead of assuming a larger responsibility for enterprise-wide coordination of security and risk management, he will not be able to usher in improvement," says Mohan.

According to Salvi, although the information security function should be independent of IT, it should have very strong communication links with the technology team. "There is a risk of being isolated if you are not a good leader or can't communicate well," says Salvi. The IT department should also understand that an independent security function is required for overall business improvement.

The change in reporting pattern may create ego hassles between the CIO and CISO. However, the CISOs whom we spoke to, believe that while differences of opinion are possible, ego hassles arise more due to personal bias — not due to functional or reporting structures.

Traditionally, information security budgets have always been defined as a percentage (or part) of the total IT budget. It is yet to be seen whether information security budgets increase and/or continue to be a part of IT budget after the change in reporting structures.

Salvi feels that there is no need to spend time and effort to segregate and make a separate security budget. "There is no issue as long as information security budgetary allocations are in accordance with the annual security operating plan prepared by the CISO," says Mohan. As far as an increase in security budget is concerned, Salvi feels that this cannot be held as a benchmark for security programs.

Read more on Regulatory compliance and standard requirements