As I travel the U.S. and the world, I am frequently asked what the proper reporting structure is for the Chief Information Security Officer (CISO). While it sounds cliché, the real answer is “it depends.” First, it is critical to understand the security goals for the organization and leadership’s perspective on security. Other factors such as company maturity, size, industry and the role you want the CISO to play should be considered. Only then can you determine if the CISO should report to the CEO, the CIO, the CRO, the CFO or some alternative reporting structure.
Factors Influencing Where the CISO Should Reside in the Organization
Leadership’s Perspective on Security
Companies committed to staying ahead of cyber threats highly value the role of the CISO and view security as an enabler and core to the business. In these companies, CISOs typically report to the CIO, with a dotted line to the CEO and board. This is the most common reporting structure for large companies with a mature cybersecurity program.
When leadership does not view security as core to the business, but rather a “cost of doing business,” the CISO is perceived as a technical caretaker of security technologies. The goal is to minimize security’s drain on revenue and meet contractual security requirements. In this scenario, the CISO tends to report to the CTO or CIO.
Companies in regulated industries (e.g., banking, pharmaceutical, healthcare, nuclear) that must meet aggressive compliance requirements are apt to support the CISO with strong alignment to the business. Since the 1990s, financial services organizations have dealt with regulatory requirements and have invested to adjust to these requirements. Other regulated industries have seen threats and regulatory requirements change more recently – and rapidly.
It is important to note that being compliant does not mean a company has a strong effective security program that can mitigate inevitable incidents. In fact, companies outside financial services may be less concerned about security or the threat environment. For compliance-focused companies, the CISO may report to a compliance function, or even be the compliance function. This can manifest as the CISO reporting to the CFO or General Counsel. In large financial institutions where effective security is required, typically the CISO reports to the CIO. In a few cases, financial institutions have had the CISO report to the CRO to help insulate the security budget from technology budget needs and constraints.
The energy industry plays a critical role in national economic security. Larger companies in the industry generally have the CISO reporting to CIO. However, some companies in this area have split the traditional CISO roles among related parties. For example, firewall and related security systems may be managed by the IT network team, security operations may be managed by the network operation center and endpoint security may be managed by the desktop team. While distributing security functions can work, a senior executive often performs many aspects of the CISO role – even if he or she does not hold the CISO title.
Retail, transportation and manufacturing companies have lagged other industries, with the CISO typically reporting two layers or more below the CEO. Smaller companies at the high end of the Fortune 1000 may have a director of information security who is very technically focused on the basic blocking and tackling of security. Until lately, companies in these industries did not feel extremely vulnerable to external threats. Security awareness and concerns have recently grown in these industries due to multiple factors: greater connectivity and efforts focused on digital transformation, the addition of new business systems being accessed remotely, increased threats from nation-states and hacktivists, the negative impact on leadership following breaches and the rise and reporting of cyber breaches and incidents. As a result, more CISOs are being hired in these industries and tend to report to the CTO or CIO.
More recently, we’ve seen the impacts of attacks on business in new ways. The WannaCry and Not-Petya malware attacks demonstrated how dependent many industries and businesses have become on suppliers’ IT systems. Companies that recognize that cyber risk expands beyond their own IT systems have started to think more broadly about cybersecurity as a business risk and align the CISO to an Enterprise Risk Manager or Chief Risk Officer. While this isn’t necessary, it provides a different perspective and an alternate funding channel for cybersecurity efforts.
Product security is another factor that is changing CISO reporting structure and responsibilities. Companies producing connected products have begun to recognize the critical role security plays in the design, development and ongoing support of those products. We are seeing CISOs take on the responsibility for product security. This is most common in the security industry where the CISO is more likely to report to the CEO. Companies that have a business model built on selling security products recognize how the CISO is integral to the business.
Consider Reporting Options and Consequences
Who the CISO reports to in your organization greatly impacts his or her ability to perform. Take the time necessary to understand the role you want the CISO to play, the importance of the role to your business and the tradeoffs affiliated with the reporting structure chosen. See the chart above for a comparison of some commonly seen reporting structures for CISOs.
Making Security Strategic to the Business Requires Commitment
While determining who the CISO reports to is important, to be effective the CISO should have:
- Some access to the board, CEO and other executive committee members.
- A budget that is partly funded outside the CIO.
- Clearly defined responsibilities.
- Known limitations and clearly defined decision making authority.
- Defined personal and program goals that map to business objectives.
- Comfort knowing the CEO will take that midnight call on Sunday.
- The backing of a management team that understands and supports the security program and its ability to enhance shareholder value by protecting the company’s market share, brand and revenue.
Deciding upon a proper reporting structure for the CISO is not a one-size-fits-all approach and it requires a deep understanding of both the organization’s security objectives and leadership’s perspective on security. As CISOs assume a permanent seat at the executive table, it is important to choose a reporting structure that gives them the executive access they need to successfully inspire and direct others across the organization to advance security and compliance initiatives.