Should CISOs have as much power as CIOs?

The traditional CIO-CISO organizational structure has 'systemic weaknesses'
By Tom Sullivan
07:57 AM
Share
illustration of two businessmen swordfighting

With a long parade of damaging and headline-grabbing data breaches these past few years, chief information security officers are suddenly on the rise – and that's as true in healthcare as perhaps any industry.

As is the case with so many emerging job titles, the reporting structures vary from hospital to hospital. But what appears to be typical is for CISOs to sit one notch below chief information officer.

Yet many CISOs work with executives outside IT, such as compliance, legal, risk management and others. Thus, the question of whether or not it makes practical sense to have the CISO report to – be on the same level as – the CIO is becoming a matter of some debate. 

Take the U.S. Department of Health and Human Services, for instance. At HHS, CISO Rob Foster reports into CIO Frank Baitman. The CIO, then, reports to the assistant secretary for administration, directly under Secretary Sylvia Burwell. 

But the U.S. House Committee on Energy and Commerce is looking to change that in a way that puts the CISO and CIO on equal footing. 

Citing "systemic weaknesses in the traditional CIO-CISO organizational structure," the Energy and Commerce committee recommended that HHS re-sketch its chart to move the CISO under General Counsel – a step over and up to the same level as CIO. 

[Learn more: Meet the speakers at HIMSS and Healthcare IT News Privacy & Security Forum.]

"By separating information security from information operations, this reorganization addresses the inherent subordination of HHS's information security program. It eliminates the ability of officials responsible for information operations to 'normalize deviance' in order to ease operational pressures, as they no longer possess information security responsibilities, nor does information security exist in their chain of command," according to a document titled Information Security at the Department of Health and Human Services carrying the name of committee chair Fred Upton (R-MI).

"It removes information security from the IT 'silo' and facilitates the inclusion of expertise across HHS in information security decisions."

Such a move would also reflect the reality that information security is as much about risk management and liability, which often fall under the legal team's purview, as it is about pure information technologies.

"It is no longer enough to address and mitigate the security vulnerability or vulnerabilities that facilitated a compromise; organizations must now cope with regulations regarding the exposure of protected information, litigation, and lost business from compromised IP or reputational damage," the Energy and Commerce document contends. "This reorganization is the first step toward creating a system that incentivizes better security."

It's important to note, of course, that the document is just a recommendation based on Energy and Commerce investigation into multiple breaches at Health and Human Service and the U.S. Food and Drug Administration.

Whether or not HHS ultimately implements that structure the proposal raises an interesting point: Has the time come that hospitals and health systems should consider arming CISOs with as much power as the CIO?

CISOs: Healthcare's new rock stars

CISO and CIOs: Why can't we be friends?
Should CISOs have as much power as CIOs?

Infographics:

Biggest barriers to better security

Greatest areas of improvement in cybersecurity?

Top 10 cybersecurity threats of the future