CPSO Reporting Structure Part 2

00:00

Hi, this is Matthew Clark. This is Lesson 2.5 sips. So reporting structures part two.

00:07

In this video, we will continue our discussion about possible places for the sip. So to report into including this large alphabet soup of positions

00:18

reporting to the CIS O or C so

00:21

So let's start with this is so the chief security officer and I pronounced this sis Oh, but and everyone pronounces both these words completely differently.

00:30

But the Cisco roll looks at the entire organizations risk, including physical security, compliance, fraud prevention, business continuity, financial risk, safety, ethics, privacy, reputation and brand protection.

00:45

It all changes in different on every organization.

00:48

But having the sips a report into the CIS so might not be a bad thing. This is a C suite roll. It handles all types of risk and generally doesn't have a P and l. It doesn't have a profit or loss.

01:00

And and this helps the sip. So not to be buried in a position way down in the weeds. In the organization,

01:07

this position can be very effective and reporting to the sea so as appear to the sea. So

01:14

let's talk about the sea so the chief information security officer.

01:19

The sips opposition could be effective reporting into the sea. So

01:23

because the ceases responsible for enterprise cybersecurity

01:26

in either position, the key to success is when the sys Oh, and the sea so understand that product security is different than enterprise information security. It's just not another flavor of cybersecurity.

01:41

If the company's main source of income is from connected products and services or their significant reputational or regulatory risk associated with connected products and services,

01:52

then it certainly makes sense for the soup, so to be positioned in a way that they can inform the business about products. Cybersecurity risk.

02:00

Just it's a cyst. So informs the business of information security risk.

02:05

Maybe that route is in person. Or maybe it's through the CSO or the sea. So or the CTO

02:14

Personally, I tend to believe that the closer and individual is to the top, the clear their messages and the less filters that they have.

02:22

So let's talk about the chief risk officer, the chief privacy officer and the chief legal officer.

02:27

Some organizations may wish tohave the chief product security officer reporting into an organization that doesn't have a P and L because they don't want this this kind of conflict to happen. And maybe the CSO role doesn't exist in those in that type of organization.

02:45

So these types of organizations both risk and privacy and legal could be good alternate solutions, depending on the organization.

02:54

So what? The one of the downfalls of this, though, is that the chief product security officer

03:02

We'll need to make sure that they communicate well what risk it are because these organizations arm or compliance, focused.

03:09

Then they are type, typically cybersecurity focused.

03:14

And so that means that there's gonna be distance between them and the final product. And that distance may impact their comprehension of the urgency. Are need a certain risk that are out there.

03:28

So CEO reporting into the chief information officer up with this in here because you know why not? The CEO is generally, um, in almost every single organization, and it may seem like a good fit for some people.

03:42

In many ways, this might be the opposite of placing the role within engineering. It may not feel like a natural fit because the focus of the CEO is generally on enterprise technology. They're more focused on the operational aspect of information technology.

03:57

And while I T might certainly know about production floor issues as an organization, there's gonna have layers of separation between them and the product development process.

04:06

And one of the risk is that the sip so becomes an observer to real action. They would end up

04:14

scheduling a meeting to be caught up on the latest engineering decision. Instead of being embedded in those groups, making those decisions

04:21

like engineering. This might be also be a source of natural conflict, which, granted might not be a bad thing.

04:28

But the see it I always is affected by P and l decisions.

04:32

So unless the organization is very immature, in the process is the CIA. You probably isn't a good fit.

04:38

And by that I mean that I've worked with some I t organizations that air so embedded in the business, um, that they are actually the keepers of the business process, information and investigation That might not be a bad fit, especially if the Sips organization is very immature and needs to Bill learned how to build business process

04:59

the abyss.

05:00

It could be the sip so is buried so far down in organizational layers that she feels like she's reporting to the abyss and never sees the light of day

05:10

to be effective. The Simpson needs to be able to communicate with C Suite,

05:14

And how is she going to be able to do that or get a time on the calendar when she's buried so far down and organizations address book?

05:21

Or worse yet, the sip, so is, has a title and name on Lee because she changed it on her email signature.

05:29

I spoke to a company a few years ago. It was a medium sized manufacturing company looking to hire, see So and that position reported to the CEO who reported the CTO who reported to the CEO. And it was a mess. Everyone in the organizational chain above the sea so said that they were personally responsible for security,

05:48

and they said it like they meant they actually were the ones who are accountable

05:54

for the program, the one who are making the decisions

05:57

and that doesn't work in the race. It

05:59

and it certainly doesn't work in the real world, and you can't do that or well, you shouldn't do that. I think many organizations try to do that. Bearing security isn't good for anyone.

06:10

Well, that's it for this lesson. In summary, we covered the advantages and disadvantages of different reporting structures for the sip. So

06:18

and that includes all this alphabet soup of positions as well as Theodorus.