Rafael Diaz, CIO at HUD, has spent time on both sides of the fence — as a CIO in the private and public sectors and a CISO with the state of Illinois — and has had a different perspective on who a security official should report to at different stages of his career.
"When I was the CIO in Illinois, I had a risk manager who was telling me what we needed to do … I was glad he was reporting to me," Diaz said during a May 12 panel discussion hosted by FedScoop. "When I became the CISO, I didn't want to report to the CIO."
While serving as the state's CISO, Diaz said he advocated for keeping the position outside of the CIO office, reporting directly to a chief risk officer or CEO.
Now, as a CIO in the federal environment, Diaz admitted he wants the CISO reporting to him, to have that control over his organization, but that might not be the best option.
"The CISO and the response team needs to be independent of me and independent of anyone else in the organization to be able to respond," he said. "Once you see that there's somebody attacking you — and there's somebody attacking you all the time — you need to have autonomy to be able to respond."
Either way, defining the organizational structure is important.
"The question determines how you're organized and that will determine your response," Diaz said. "It's a very difficult relationship to have. And it's all about the relationship."
"I think the CISO should hang off the CIO — they are the tag-team that manages the network, the information and the security apparatus," said Rob Carey, vice president of global cybersecurity for CSC. "If they were split I think you have security overruling business operations."
Daiz agreed with that assessment, noting the mission is fundamentally more important than security.
"We have to run the business," he said. "In one of these conversations, somebody said, 'Security is more important than connectivity.' The whole point is connectivity, but we have to do it securely. I'm not saying that we disregard security but the business has to run, we've got to do the mission."
Having an established reporting structure is key to finding that balance.
"Security is no longer something that is in addition to how a business is run or how your job is performed – it's an integral part," said Jay Scroggins, BDNA executive vice president of engineering and operations, who was in favor of the CISO reporting to the CIO. "And we need to be sure that that's reflected in the organizational design, in strategy and everything else."