The first Chief Information Security Officer (CISO) appointment was made in 1995. Since that time, the corporate world’s adoption of digital systems has mushroomed. Data, whether intellectual property or customer information, has become a competitive requirement — and the pandemic has accelerated the evolution of remote working, dramatically changing the network perimeter. As a result of all of this, security management has become exponentially more complex and the number of cyber threats a business faces are now innumerable.
This all falls at the feet of the CISO — but where they sit within an organization will influence their effectiveness in managing this increasingly intricate information security arena. Below I’ve outlined the typical chain of command for CISOs and how this impacts their ability to secure organizations.
When the CISO reports into the CIO/CTO
Historically, this has been the most common designation for a CISO. Over the past 20 years, the hierarchy of business needs has weighed in technology’s favor, with security being viewed as a necessary addition. As a result, boards tended to appoint Chief Information Officers (CIOs)/Chief Technology Officers (CTOs) and only hired CISOs when their security needs or regulators really demanded it.
However, this can often become problematic. In this position, the CIO/CTO has the final word on the technology and security budget. They can, and do, end up allocating more of that budget for large technology projects — whether they involve updating end-user computing, implementing a new CRM system or buying a sales platform. If this happens, the CISO only has a limited capacity to influence their security budget as a result of having no direct line to the board. Where this has played out, CISOs have been known to resign. A security breach is on their head, and their reputations are at stake. If they aren’t provided with adequate budget to secure an organization, it’s not worth their career to stay.
What’s more, if a board is looking for a high-caliber CISO, they can’t earn less that the CTO (which will happen if the CISO reports into the CTO). In the current tech executive market, CISOs now command as much, if not more than their CTO peers. Boards need to be cognizant of this.
When the CISO reports into the CRO
This is an increasingly common reporting line, particularly in highly regulated industries. There are a number of advantages for CISOs reporting into Chief Risk Officers (CROs). The first is confidence in the organization’s appreciation of risk. Where the CISO reports into the CRO, they have a distinct ability to influence the risk appetite of the organization. This professional background tends to provide CISOs with more personal comfort and makes them less likely to resign over what they perceive as an underappreciation of cyber threats.
The second advantage of this position is that an Information Technology (IT) department is not responsible for auditing its own security. There’s far less opportunity for IT teams to cut corners or sweep issues under the carpet if the CISO exists outside of their reporting structure. Ultimately, it makes it difficult for conflicts of interest to arise between individuals within the same business unit where auditing is concerned.
The final advantage is optics. Appointing both a CRO and CISO sends a message to employees, customers and shareholders that risk (particularly cyber risk) is taken seriously. While this won’t be necessary for many organizations, this sort of structure is being seen more and more in areas of financial services, telecommunications, pharmaceuticals, energy and critical infrastructure.
When the CISO reports into the COO
This is another common reporting structure for CISOs to find themselves in. Where this happens, the CISO will typically report into the Chief Operations Officer (COO) alongside the CTO or head of IT. This reporting structure means that cybersecurity and technology act on an equal footing where budget allocation is concerned, and neither is given unfair priority over the other. It also means that technology- and software-related decisions are usually made in tandem with cybersecurity.
CISOs reporting into COOs are usually highly effective, and the structure tends to be found in large companies operating in heavily regulated markets. For example, in large financial services companies like banks or building societies, the COO is often more akin to a deputy CEO — they will typically have a deep understanding of risk and security regulation as it relates to financial services. CISOs do well in these environments where the risk appetite is already very high and large data protection budgets are accepted by the board.
When the CISO reports into the CEO
This is somewhat less common, but the CISO community is becoming increasingly vocal about the need to report directly into the Chief Executive Officer (CEO). This position offers them greater organizational visibility and better enables them to build security protocols throughout an entire business. As a member of the C-suite, it also gives them a certain amount of clout when trying to influence the security and risk awareness of individual functions. Importantly, it means that the CISO can make a case for cybersecurity directly to the CEO and the board, usually resulting in improved threat awareness and greater allocation of budget.
However, CISOs should remember that this is a C-level position. CISOs reporting into CEOs should be able to combine technical expertise with strong business acumen. When interacting with their fellow C-suite members, they should be able to demonstrate their understanding of the organization’s goals and how cybersecurity can enable them. What’s more, they should have the type of leadership and communications skills required of a C-suite executive.