A House Energy and Commerce Committee report’s suggestion to require an agency’s chief information security officer to directly report to the Office of the General or Chief Counsel rather than the chief information officer reflects a trend that is common in the private sector, Angie Petty writes in a blog post for Deltek.
Petty, a senior principal analyst at Deltek, said the House panel’s recommendation stems from the finding that CIOs within the divisions of the Department of Health and Human Services focus more on operational matters than data security risks.
The House panel also found that the traditional structure where CISOs report to CIOs keeps security officials from carrying out comprehensive security audits.
Lawmakers stated in the report that changes to the conventional reporting structure will help mitigate the “tension” between operations and security.
“In my cursory search, I was not able to find any federal CISOs who reported to the Office of General Counsel or to any office other than the CIO,” Petty said.
“However, in the private sector there is a debate regarding whether the CISO function should report to the CIO or directly to the CEO.”
She noted that organizations in the private sector are more concerned that the reporting structure between CISOs and CIOs might lead to the prioritization of revenue-driven operations over security concerns.