To whom does the information security officer report? It depends.
It depends on who you ask, and it depends on what the organization as a whole wants to accomplish by having a CISO in the first place. That said, for the majority of organizations, it’s critical that the CISO report to a business executive rather than a CTO and with as few layers as possible between the CISO and the CEO. The reason for this is that security success is lower for organizations where the CISO reports to someone who does not report directly to the CEO.
Common CISO reporting structures
CISOs typically report to one of several positions: either a technology position – typically, the CIO – or a business position, such as chief risk officer (CRO), chief financial officer, chief operating officer, or CEO. The choice depends on how the organization wants cybersecurity to work: as a compliance checkbox; as a security measure subject to the provision of services; as another facet of risk management; as a business enabler focused on continuity and integrity of operations; or as a transformative business catalyst.
CISO to CIO: Cybersecurity in IT
The most common hierarchical structure of the CISO is that of the CIO, which is generally the less effective choice.
The logic behind the CISO to CIO report is that cybersecurity is largely a technology function. This assumption is both inaccurate and dangerous.
This is incorrect because the CISO is responsible for protecting the entire company, not just the company’s technology infrastructure, from attack. This means that a successful attack damages more than a company’s networks and systems. It can cost billions of dollars in market capitalization and tarnish the organization’s brand.
This is dangerous because CIOs and CISOs often have competing priorities. When the CISO reports to the CIO, the CIO ultimately has veto power over the CISO’s actions and can control the CISO’s agenda and direction. The organization recognizes the importance of cybersecurity since it has a CISO, but considers it secondary to the delivery of IT services.
This reporting structure may indicate that the business views providing services with inadequate security as acceptable – although often only temporarily – if it involves meeting critical deadlines. In this case, doing business quickly trumps doing business responsibly. This organization often sees many security enhancements for internal applications late in the process or replacement of security envelopes for purchased products.
CISO to CFO: Cybersecurity Because Auditors Demand It
Companies that treat cybersecurity as a checkbox requirement for auditor approval can put their CISOs — and, often, their CIOs — under the CFO. In this case, organizations view cybersecurity, like IT, as a cost of doing business with little or no strategic value. Placing cybersecurity under the responsibility of the CFO ensures that externally imposed requirements are met, while costs are contained and closely monitored. The CISO in this type of organization may not even have a dedicated staff or budget and may have an extremely limited scope of authority.
CISO to COO: Cybersecurity as an operational necessity
When the CISO reports to the COO – typically, alongside the CIO – it means there is recognition that cybersecurity issues have the power to disrupt all aspects of operations. Placing the CISO directly below the COO is an endorsement of the realization that proper cybersecurity is a core business requirement. Reporting alongside the CIO, rather than the CIO, the CISO has parallel authority and is less likely to have to subordinate cybersecurity policies and requirements to IT expediency.
CISO to CRO: cyber risk as part of enterprise risk
Some organizations that view cyber risk as a form of business risk require the CISO to report to the CRO. This is an efficient reporting structure if and only if the organization has a well-structured and mature risk program – typical of financial companies, pharmaceutical companies and defense organizations, among others – and a CRO who reports directly to the CEO.
The value of this reporting structure is that it contextualizes CISO challenges, concerns, and issues within the larger enterprise risk framework, which, in theory at least, is where it belongs. Cyber risk is just one form of business risk, along with geopolitical risk, innovation risk, etc. resources, too far from the ears of the leaders or all three.
CISO to CEO: cybersecurity as a catalyst for strategy
When the CISO reports to the CEO, it is a strong statement that the company views cybersecurity as a core business concern, one that is not only of tactical and operational importance, but also strategic. CISOs in this type of organization can rely on high-level support to establish comprehensive security architectures and adopt and implement zero-trust and “secure-from-start” models.
The right approach
Nemertes’ research has shown that it’s better for the CISO to report to a senior company executive, not the CIO. This type of reporting structure is aligned with greater cybersecurity success – by objective metrics – than reporting to the CIO or a senior corporate executive.
In many cases, reporting to the CEO is optimal. Cybersecurity is an existential issue for any company for which IT is an integral part of doing business, that is, almost all companies, regardless of size. The fact that the leader of cybersecurity efforts reports to the head of the business is an unambiguous indication of its importance. If a company is big enough to have a CISO, that CISO must report to the top.