As the CISO role continues to gain traction in both prevalence and industry adoption there is perhaps no more contention topic than who the CISO should report to. If you went and asked 20 experienced security leaders, you would likely get 20 varied answers. This is for good reason, given the role has different focus areas of expertise depending on the industry, shape/size of the organization and more. We will discuss some of the key considerations of who the CISO should report to in the article below.
Let’s first level with the reality that no matter where the CISO reports, there are some key activities they will have oversight of and provide unique expertise on. This includes fundamentals such as data and asset security, security training, security policy design and enforcement, system monitoring and incident response, just to name a few. Regardless of where the CISO reports, they ultimately are responsible for the comprehensive cybersecurity program of their respective organizations. Now that we’ve got that out of the way let’s discuss some common CISO reporting relationships and their associated pros and cons.
Traditionally, the CISO has largely reported to IT leadership, often the CIO, or occasionally the CTO. This is due to the fact that historically the CISO’s main focus was on the technical cybersecurity activities of an organization. Those were and still are incredible valid focus areas but the role has also continued to evolve. The CISO is increasingly becoming a C-Suite business leadership peer.
This escalation of the CISO to the C-Suite level, potentially reporting to the CEO brings the CISO to a level where they can actively be involved in the strategy and execution of key organizational objectives not necessarily directly tied to IT assets, such as third party risk management, vendor evaluations, insurance, crisis communications, M&A’s and much more. They are also then empowered to help facilitate key conversations with their C-Suite peers as it relates to the broader conversation of risk management. Many even see the CISO role evolving into a Chief Security or Chief Risk Officer in time, and depending on the size of the organization many already have these roles in place as well. This is a logical trajectory given that cybersecurity is inherently a discipline within the broader domain of enterprise/organizational risk management.
There are also some problems with the traditional reporting structure of having the CISO report into IT leadership. Some of these key items include having cybersecurity spend nested under IT budgeting and reporting issues with IT security to the individuals who help drive IT strategically for the organization, who ironically often are also the CISO’s boss in the traditional model where a CISO reports to a CIO. This leaves the CISO in a position to be policing or bringing light to potential flaws and missteps of their own boss. Other challenges include not having the CISO seen as a true C-Suite peer due to being nestled under IT leadership rather than an equal partner.
All of these concerns and points said, there have been and still are countless CISO’s operating under traditional reporting structures who are wildly successful in leading organizational cybersecurity programs and ultimately driving down organizational risk. Many successful CISO’s will tell you the leading contributing factors to their success include support from their leadership, being included in critical conversations and the ability to wield influence across the organization. Regardless of where the CISO reports, those things will always be fundamentally critical.
Want to gain more insights from Cloud Wars Expo?
Starting on July 20th, more than 40 hours of on-demand cloud education content will be available for free to Acceleration Economy Subscribers.
