This questions was asked in a recent webinar with ID Experts and Cris Ewell of Seattle Children’s:
Cris mentioned their governance and organizational structure with the CISO reporting to the board and general counsel. This seems like a particularly enlightened structure. Could Cris share what thinking or impetus led to Seattle Children’s adopting this particular governance structure for patient data security?
Seattle Children’s had struggled in the past with where to put information security. With our culture of continual improvement, there were issues that were not being addressed, so the executives and board decided to make a change. Previously, the Information Security Officer reported to the CIO. This is most likely similar to many organizations. With the change, the position was changed to a CISO position reporting to the SVP/Legal Counsel as well as the Audit and Corporate Responsibility (ACR) Committee (Board level). I serve as a non-voting member of the ACR committee. The main point with any governance structure is to have the relationships with management at all levels. While Seattle Children’s structure is ideal and gives me the ability to effect change, it really comes down to the relationships. I have been successful in many different governance structures.
We find that every organization is different and has different governance structures. It’s always nice to see how real world CISOs are approaching and adapting to the ongoing difficulties of infosec.