- Donald E. Hester
Finding the Right Fit: Exploring Local Government Cybersecurity Reporting Structures
In a previous post entitled, "Why Cybersecurity Needs to be Separated from IT in Local Governments," I discussed the importance of properly placing cybersecurity within an organization, particularly in the context of Enterprise Governance of Information and Technology (EGIT). I noted that not all cyber risks fall under the realm of IT risks and that cybersecurity is comprised of several distinct functions. The post highlighted the need to strike a balance between innovation and risk management when implementing EGIT and the importance of involving both IT and cybersecurity in the decision-making process. The post also provided insights into the different cybersecurity functions that should be separated from the CIO and placed under the CISO, as well as functions that can be effectively managed under the CIO. The blog concluded with a discussion of the maturity of elevating the CISO to a position that is equivalent to the CIO and reporting directly to the City Manager, whereby the CISO would be more business-centric.
In this post, I will discuss some of the variations of reporting structure I have seen in local governments.
Very Low Maturity
When it comes to reporting structures in local governments, one of the variations that stands out is the combination of IT and cybersecurity under the finance director. This reporting structure, while common in many local governments, is considered to be of low maturity and high risk. In the past, IT departments were often started in finance and were one of the first departments to adopt computers. However, this outdated approach is no longer sustainable given the increasing complexity of technology and cyber threats.
One of the main issues with this reporting structure is that the finance director is usually not equipped to handle the span of control and responsibility that comes with overseeing IT and cybersecurity. It's rare to find an individual who is competent in finance, IT, and cybersecurity, and has the time to dedicate to each area. This lack of proper separation of duties also means that cybersecurity risks are often overlooked, leading to poor alignment with the business and inadequate protection for critical data and services.
Furthermore, cybersecurity is typically so far down the organizational chart that it has little to no effect in providing cyber risk information to decision-makers or engaging with stakeholders to ensure that cyber risks are aligned with the business. This lack of communication and collaboration can result in decision-makers making uninformed decisions, placing the organization and service delivery at risk.
While the combination of IT and cybersecurity under the finance director may have worked in the past, it is no longer a viable approach for local governments. A more mature and effective reporting structure is needed to ensure that cybersecurity risks are properly identified, communicated, and managed to protect critical data and services.
Moving up the maturity ladder, we come across another model where cybersecurity is placed within the IT department, with the CIO or IT head reporting directly to the chief executive or City Manager. While this structure acknowledges the importance of cybersecurity, it also reflects a higher appetite for cyber risk. In this scenario, the organization is placing innovation over risk mitigation (see my previous post) and having a greater appetite for cyber risk. The CIO or IT head has to balance the often-conflicting goals of innovation and cybersecurity risk mitigation, which can lead to difficult decision-making processes.
Furthermore, the knowledge and skills required for managing IT and cybersecurity are vastly different, with cybersecurity being a specialized field that requires specific expertise. With the constantly evolving technological landscape and the emergence of new threat actors, it is a daunting task for one individual to stay updated on all the changes and be able to make informed decisions. A lack of knowledge or a missed vulnerability can result in a security incident, which can have dire consequences for the organization.
Another downside to this structure is that non-IT areas, such as OT (Operational Technology), may not receive the attention required for effective cyber risk management. Overall, while this model is a step up from the previous low maturity model, it still has its limitations and risks, and may not provide adequate protection against cyber threats.
In some cases, local governments may adopt a reporting structure where the Chief Information Officer (CIO) reports to the Chief Information Security Officer (CISO). This model is rare but provides a different perspective on the relationship between innovation and risk mitigation. In this scenario, the organization prioritizes risk mitigation over innovation, which means the CIO's focus is primarily on ensuring the organization's cybersecurity posture is strong, and innovation takes a back seat.
While this reporting structure may help the organization mitigate cyber risks more effectively, it can also lead to missed opportunities for innovation. The CIO's primary focus is on protecting the organization's data and systems, and innovation takes a back seat. As a result, the organization may fall behind the technology curve, and it may miss out on the potential benefits that new technologies and innovations could bring.
Overall, it is essential to strike a balance between innovation and risk mitigation. The ideal reporting structure for a local government's IT and cybersecurity function would ensure that both areas are given equal priority, and there is proper coordination and collaboration between IT and cybersecurity teams to effectively manage cyber risks while driving innovation forward.
Moving up the maturity ladder, organizations can strike a balance between innovation and risk mitigation. One model that has been adopted by the City of Livermore is where cybersecurity and IT are separate and both report to the Administrative Services Director. This model is analogous to the CISO and CIO being peers and reporting to the COO in the corporate world.
The strength of this model is that value delivery and innovation will be balanced with cyber risk mitigation and compliance. It allows both IT and cybersecurity to focus on their respective areas of expertise without any conflict of interest. Moreover, cybersecurity can provide some oversight to the IT function and provide executives and council some assurance.
However, the downside of this model is that the roles are not high enough to be part of the business decision-making process. The organization has placed IT in such a way that does not demonstrate it is viewed as strategic. But overall, this model supports the separation of duties between IT and cybersecurity, and cybersecurity can also focus on the non-IT areas of cyber risk like OT, privacy, compliance, ethics, etc.
Moving up the maturity ladder, maintaining the balance and separation while giving IT and cybersecurity a seat at the executive table. Having IT and cybersecurity reporting directly to the City Manager or chief executive is the ideal model for high maturity organizations. This allows for the best balance between innovation and risk mitigation while giving both IT and cybersecurity a seat at the executive table. While this model comes with an increased cost due to the additional executives, the cost of a single data breach could be much higher.
Despite the benefits of this model, there is still resistance in local government to add these positions at the director level. The League of California Cities still doesn't promote IT as a department of a City, which does not align with the ideal of digital government or smart cities. Technology is strategic for local governments, as there is almost no function that can be done in a city that does not involve data or technology. Recent ransomware attacks have demonstrated the critical role technology plays in the functioning of cities. Therefore, local governments need to recognize the importance of technology and cybersecurity and allocate the necessary resources to ensure their effectiveness.
While it is possible for local governments to adopt a lower maturity model, it is important to implement controls to avoid the pitfalls of the lower maturity models and ensure that key decision-makers are well informed and that separation of duties is maintained. This can be a difficult task, but it is necessary to ensure that the organization is adequately protected from cyber risks. Ultimately, local governments should strive to find a reporting structure that works for their organization with the highest maturity possible. Moving up the maturity ladder may not be feasible for all organizations at this time, but it is important to strike a balance between innovation and risk mitigation.
The ICMA LG Cybersecurity Survey 2020
IDG's 2020 Security Priorities Study
Does it matter who the CISO reports to? (MAR 2021) https://www.csoonline.com/article/3278020/does-it-matter-who-the-ciso-reports-to.html
Determining Whether the CISO Should Report Outside IT- Gartner ID G00743363 - (APR 2021)
How the CISO role is evolving (APR 2021) https://www.csoonline.com/article/3332026/what-is-a-ciso-responsibilities-and-requirements-for-this-vital-leadership-role.html
What does a business information security officer do? (AUG 2021) https://resources.infosecinstitute.com/topic/what-does-a-business-information-security-officer-do/
The Rise of the Business-Aligned Security Executive - Forrester (Aug 2020)
InfoTech Research Group