17 Aug Should CISOs have as much power as CIOs?
The traditional CIO-CISO organizational structure has ‘systemic weaknesses’
With a long parade of damaging and headline-grabbing data breaches these past few years, chief information security officers are suddenly on the rise – and that’s as true in healthcare as perhaps any industry.
As is the case with so many emerging job titles, the reporting structures vary from hospital to hospital. But what appears to be typical is for CISOs to sit one notch below chief information officer.
Yet many CISOs work with executives outside IT, such as compliance, legal, risk management and others. Thus, the question of whether or not it makes practical sense to have the CISO report to – be on the same level as – the CIO is becoming a matter of some debate.
Take the U.S. Department of Health and Human Services, for instance. At HHS, CISO Rob Foster reports into CIO Frank Baitman. The CIO, then, reports to the assistant secretary for administration, directly under Secretary Sylvia Burwell.
But the U.S. House Committee on Energy and Commerce is looking to change that in a way that puts the CISO and CIO on equal footing.
Citing “systemic weaknesses in the traditional CIO-CISO organizational structure,” the Energy and Commerce committee recommended that HHS re-sketch its chart to move the CISO under General Counsel – a step over and up to the same level as CIO.
“By separating information security from information operations, this reorganization addresses the inherent subordination of HHS’s information security program. It eliminates the ability of officials responsible for information operations to ‘normalize deviance’ in order to ease operational pressures, as they no longer possess information security responsibilities, nor does information security exist in their chain of command,” according to a document titled Information Security at the Department of Health and Human Services carrying the name of committee chair Fred Upton (R-MI).