Rafael Diaz, CIO at HUD, has spent time on both sides of the fence — as a CIO in the private and public sectors and a CISO with the state of Illinois — and has had a different perspective on who a security official should report to at different stages of his career.

Related: Breaches should reignite push for better cyber hygiene

"When I was the CIO in Illinois, I had a risk manager who was telling me what we needed to do … I was glad he was reporting to me," Diaz said during a May 12 panel discussion hosted by FedScoop. "When I became the CISO, I didn't want to report to the CIO."

While serving as the state's CISO, Diaz said he advocated for keeping the position outside of the CIO office, reporting directly to a chief risk officer or CEO.

Now, as a CIO in the federal environment, Diaz admitted he wants the CISO reporting to him, to have that control over his organization, but that might not be the best option.

Related: Ed Department seeking Info Assurance Director, CISO

"The CISO and the response team needs to be independent of me and independent of anyone else in the organization to be able to respond," he said. "Once you see that there's somebody attacking you — and there's somebody attacking you all the time — you need to have autonomy to be able to respond."

Either way, defining the organizational structure is important.

"The question determines how you're organized and that will determine your response," Diaz said. "It's a very difficult relationship to have. And it's all about the relationship."

"I think the CISO should hang off the CIO — they are the tag-team that manages the network, the information and the security apparatus," said Rob Carey, vice president of global cybersecurity for CSC. "If they were split I think you have security overruling business operations."

Daiz agreed with that assessment, noting the mission is fundamentally more important than security.

Related: Move to mobile IT a balance between security, capability

"We have to run the business," he said. "In one of these conversations, somebody said, 'Security is more important than connectivity.' The whole point is connectivity, but we have to do it securely. I'm not saying that we disregard security but the business has to run, we've got to do the mission."

Having an established reporting structure is key to finding that balance.

"Security is no longer something that is in addition to how a business is run or how your job is performed – it's an integral part," said Jay Scroggins, BDNA executive vice president of engineering and operations, who was in favor of the CISO reporting to the CIO. "And we need to be sure that that's reflected in the organizational design, in strategy and everything else."

Aaron Boyd is an awarding-winning journalist currently serving as editor of Federal Times — a Washington, D.C. institution covering federal workforce and contracting for more than 50 years — and Fifth Domain — a news and information hub focused on cybersecurity and cyberwar from a civilian, military and international perspective.

Share:
In Other News
Is Juneteenth a federal holiday?
Juneteenth has been celebrated annually around the country since 1865 when a Union General arrived in Galveston, Texas, and informed the enslaved African Americans that the Confederacy had lost the war and that they were free as per the Emancipation Proclamation, which was inked in 1863.
Democrats and Republicans agree: government must do more
The Pew Research Center report revealed several benchmarks of public opinion on government efficacy, including the federal response to certain issues and views on politicians. One finding set the tone: “Just 20% say they trust the government in Washington to do the right thing just about always or most of the time.”
Foreign Service applicants sit for updated exam amid subjectivity concerns
In late April, the State Department announced that the Foreign Service Officer Test would no longer serve as a mechanism to cull the ranks of applicants, but rather all applicants would now move forward onto the Qualifications Evaluation Panel and their FSOT score would be factored into the evaluation.
Closing the federal remote work gap
John Greenstein of Bluescape outlines the steps federal leaders can take to create a more equitable environment in the age of hybrid workplaces.
Load More