C-Suite Shuffle: evolution of the role and hierarchical structure of the CISO


In 1994, Steve Katz became the world’s first chief information security officer (CISO) after Citicorp suffered a series of cyberattacks at the hands of Russian hackers. Katz is an undisputed legend in the CISO profession he is credited with starting. His origin story remains relevant today for CISOs adapting to new reporting structures and relationships with their C-suite colleagues.

Today, cyberattacks continue to drive CISO hiring and investments in information security, more than a quarter century after the position first appeared. The evolution of the role since then highlights the current trend of the hierarchical structure of CISOs reporting directly to the CEO or other C-suite manager, with a dotted relationship to the CIO – but at the beginning of the role of the CISO was ‘t the hierarchical structure.

A quick lesson in CISO history

The CISOs who immediately followed in Katz’s footsteps had typically come into the IT function. They had networking and infrastructure experience, maybe some IT auditing expertise, and even a bit of risk management in their background. The role was technical in nature and appealed to up-and-coming leaders who might have aspired to become CIOs. (Before the CISO position, the role was often referred to as Chief Security Officer.) During the position’s first decade, most CISOs reported directly to their CIOs, and CISOs did not have reporting responsibilities. to the board of directors.

The role began to evolve in the mid-2000s as cyberattacks escalated and regulators and industry standard setters began to respond to these incidents with new rules and guidelines. The continued adoption of more sophisticated systems and technologies, along with data-driven approaches, continues to shape the role of the CISO to this day.

Some of these changes have raised questions about competing interests between the CISO and the IOC. CIOs, then as now, were responsible for propelling the business forward by transforming its inner workings from manual processes to automated ones via enabling technology – as quickly and cost-effectively as possible. This mandate and approach may conflict with the CISO’s mission to protect the organization against cybersecurity risks. New technologies often introduce new risks and mitigating them takes time and costs money. It’s understandable that CISOs are reluctant to hamper the efforts of the person signing their checks. These issues began to raise more questions about whether the CISO position should be separated from the CIO and the IT function.

Later, the regulation of the financial services sector – which has long served as a cybersecurity beacon for other sectors – raised additional questions about the reporting structure of the CISO. The Office of the Comptroller of the Currency (OCC), in its final rule of September 2014, distinguished risk management responsibilities between the first (operating units), the second (risk management) and the third ( internal audit) lines of defense of an organization, which fundamentally changed the way banks organized their reporting structures, including CISOs, whose independence from the CIO was established by ensuring that the Rather, the position reports to the chief risk officer (CRO), chief audit officer, chief financial officer, or even the CEO.

New Stakeholders and Benefits to Consider

State, federal, and national information security and data privacy regulations have proliferated over the past few years, and many of these new rules require companies to have a CISO position. For example, the Bermuda Monetary Authority’s Insurance Industry Code of Conduct for Operational Cyber ​​Risk Management and the New York Department of Financial Services’ Cybersecurity Regulation require organizations to have a CISO in place. .

Recently, the US federal government released several security memoranda and directives – among them President Joe Biden’s Executive Order to Strengthen the Nation’s Cybersecurity – that emphasize the need to have a CISO in place. In addition, the American Institute of Certified Public Accountants (AICPA) offers a mock audit which is offered as an appendix to financial audits. It communicates the need for every public company to have a board member with security expertise.

The increased privacy and data security regulatory landscape, along with the growing prevalence and pervasiveness of ransomware and malware attacks, further underscore the importance of the CISO’s role.

These developments have increased the responsibilities of the modern CISO while raising important questions about their role and place in the organization:

  • Should we create a separate data privacy function under the direction of the CISO, a Chief Privacy Officer (CPO) or a Data Protection Officer (DPO)?
  • What is the real role of the CISO – governance, risk management (second line), operational security (first line)?
  • How can an independent information security program maintain a collaborative partnership with IT given the critical need to address security in development operations? Isn’t there an inherent conflict in the role?

Regardless of the state of their cybersecurity capability, most organizations need to carefully consider or reconsider the reporting relationship(s) of the CISO. A recent survey of CISOs, conducted by Hitch Partners, found that the percentage of CISOs in private companies who report to the CEO (27%) has more than doubled since 2019 (11%). The survey also shows that CISOs no longer report to CIOs in listed companies.

Ultimately, there are pros and cons to having the CISO report to another senior executive in the suite, such as the CEO or CRO versus the CIO. Benefits of reporting to the CEO or other C-suite manager include:

  • Align with the corporate oversight objective of the CISO;
  • Isolate cybersecurity budget from IT;
  • Increase the CISO’s authority and influence outside of IT, which enables the CISO to interact regularly with business units, elevates the CISO’s proximity to the broader business and IT threat landscape, and improves communication comprehensive information security policy;
  • Reduce the perception that cybersecurity is just an IT problem;
  • Ensure that CISO team projects and workload are organized and managed independently from the IT department;
  • Strengthen the group’s ability to manage shadow IT security risks; and
  • Strengthen the hand of the CISO when the CIO accepts too much risk.

On the other hand, there are also benefits to consider in maintaining a CISO-CIO reporting structure, such as:

  • Increase the influence and authority of the CISO within IT;
  • Reduce the workload on the CISO team to coordinate with IT compared to if the team operated separately (i.e. as part of the CEO or CRO’s organization);
  • Increase the proximity of the CISO to the frontline infrastructure, development teams, the evolution of the technological environment and the daily threat landscape; and
  • Emphasize the importance of information security in front-line business functions, rather than as a problem to be solved for risk management (second line) or internal audit (third line).

CISOs and their C-suite colleagues have a lot to weigh in when evaluating which reporting structure best serves the interests of the organization. Given the challenging mandates CISOs must fulfill to protect their increasingly data-driven organizations in a rapidly growing threat landscape, these considerations are worth taking into account.

This article was written by Nick Puetz and Farid Abdelkader.

Copyright © 2022 IDG Communications, Inc.


About Author

Comments are closed.