A House Energy and Commerce Committee reportâ€™s suggestion to require an agency’sÂ chief information security officer to directly report to the Office of the General or Chief Counsel rather than the chief information officer reflects a trend that is common in the private sector, Angie Petty writes in a blog post for Deltek.
Petty, a senior principal analyst at Deltek, said the House panelâ€™s recommendation stems from the finding that CIOsÂ within the divisions of the Department of Health and Human Services focus more on operational matters than data security risks.
The House panel also found that the traditional structure where CISOs report to CIOs keeps security officials from carrying out comprehensive security audits.
LawmakersÂ stated in the report that changes to the conventional reporting structure will help mitigate the “tension” between operations and security.
â€œIn my cursory search, I was not able to find any federal CISOs who reported to the Office of General Counsel or to any office other than the CIO,â€ Petty said.
â€œHowever, in the private sector there is a debate regarding whether the CISO function should report to the CIO or directly to the CEO.â€
She noted that organizations in the private sector are more concerned that the reporting structure between CISOs and CIOs might lead to the prioritization of revenue-driven operations over security concerns.