The debate over who the CISO should report to is a hot topic among security professionals, and that shows no sign of changing soon. That’s because there is still no standard or clear-cut answer. Ask CISOs themselves for their opinion, and you will get a variety of ideas.
“Historically, CISOs were directors of information security and reported naturally to the CIO,” said Andrew Howard, CEO of Kudelski Security. “As the responsibilities have been elevated, reporting to other roles is inevitable.”
As Howard noted, when the role of the CISO first became part of the executive structure in large businesses, many CISOs were considered an extension of IT and reported to the CIO. But as the role has evolved, so, too, has the visibility and importance of the top security executive in the eyes of management. As a result, many CISOs now report to higher-level leaders, including the CEO.
“Throughout our client base, we see the CISO reporting to a variety of different executives, from the CEO to the CIO to the Risk Officer to the General Counsel and also directly to the Audit Committee. The right answer really depends on the dynamics of the company,” said Howard.
Findings from PWC’s “2018 Global State of Information Security Survey” finds 40% of CISOs now report to a CEO. This compares to the 24% who report to the CIO and 27% who report directly to the board. However, reporting structure varies by company size and industry. For example, a recent report from Carbon Black found 62% of CISOs at financial institutions still report to a CIO. And a survey from IDG reveals security executives are more likely to report to the CEO at smaller companies with revenue less than $100 million a year. At larger companies, they are often reporting to the CIO.
The Case for a CISO-CEO Reporting Structure
Many argue that the days when it made sense for a CISO to report to a CIO are over because the responsibilities of a CISO now go far beyond just IT. And some note the CISO-CIO reporting structure can even introduce a conflict of interest.
“If you consider the CIA triad (Confidentially, Integrity and Availability), CISOs and CIOs can have conflicting objectives. CIOs will prioritize availability, whereas CISOs are focused on confidentially and integrity,” said Rick Holland, CISO of Digital Shadows. “Potential conflicts of interest can complicate CIO-CISO reporting lines.”
And some research backs up the notion that a CISO-CIO reporting structure can be harmful. A report from PWC finds that financial losses are 46% higher in organizations where the CISO reports to the CIO.
“It’s problematic for the CISO to report to a CIO as it puts CISOs in the position to argue over budget dollars with colleagues who have IT operations responsibilities but no security obligations,” said Richard Bird, CCIO at Ping Identity and former CISO of Mettler-Toledo. “Essentially, a company is then stuck choosing between operational enhancements or security, which is a devil’s bargain. No one wins. For this reason, the most secure and effective organizations have their CISOs report to their CEOs, with a direct line of responsibility to the board of directors’ risk committees. “
“Critical security issues that could be game over events or significantly impact the business should be managed at the top and not hindered by the CIO,” noted Morey Haber, CTO and CISO at BeyondTrust. “The CIO always has to balance IT, productivity, cost and security, and if they are sole decision-makers for the entire business, they cannot effectively make decisions for other departments that report into the CEO.”
Company Needs Must Come First in Reporting Structures
Whether the CISO reports to the CIO, the CEO or another executive, industry differences and individual needs due to company size all should be considered when designing a reporting structure.
“I believe that it ultimately doesn’t matter, as long as the CISO role is appropriately defined and understood by those in the organization, and that the authority for the role is in line with its accountability,” said Mike Gentile president and CEO of CISOSHARE. “Many organizations spend countless hours trying to figure out where a CISO should report, but then completely forget to establish a critical aspect: The definition and power elements are really all that matter.”
The larger goal for CISOs today is ensuring they are working with all key stakeholders across the business to get buy-in on security and its mission across the organization.
“A CISO has to work hand in hand with several different business units, including compliance, legal, engineering, IT and more,” said Paul Gagliardi, CISO of SecurityScorecard. “Regardless of who that person reports to, those cross-business relationships and ability to understand their perspectives and needs will dictate the success of the CISO.”