With cybersecurity such a critical organization consideration, where should the CISO report into the business for maximum effect? Dave Cartwright, CISSP, asks whether we need to rethink the accepted norms of where the CISO role fits in the organization and reporting structure.

There are many surveys each year that look at whom the CISO reports into – and the answer has remained largely the same for many years. In the U.S. section of one survey we looked at as an example, roughly a third of CISOs report to the CIO, almost one-fifth answer to the CTO, 7% to the chief risk officer and only 3% to the CEO. Only 6% of CISOs are at a hierarchical level that could report directly into the CEO, with two-thirds reporting into one of the CEO’s direct reports and a perhaps-surprisingly-high 8% are three or more levels down from the top. The numbers vary a little between surveys, but the story remains broadly the same.

Leaving aside research for a moment, though, the question we should be asking is: why does the CISO report to the CIO in so many cases?

There are various opinions on this. One says that: “in many organizations, the CIO oversees all information technology initiatives, including data security; as such, it makes sense for the CISO to report directly to the CIO in those cases”. Another is of the view that: “the CISO reporting to the CIO can create tighter strategic bonds, help align investment, and focus activities that systematically drive down risk”.

Whatever the case, things appear to be changing. As Bruce Brody wrote in a Cisco blog: “Lately, some very progressive organizations in the Fortune 500 and the Global 1000 have elevated the CISO to a reporting relationship under, variously, the Chief Risk Officer, the Chief Security Officer, the Chief Financial Officer, the General Counsel, or even the Chief Executive Officer”. I have reported into the CFO, the CIO and the CTO and it has been fine in all three cases. But was it fine because it was the right thing to do?

Possibly not, and the usual point is of course conflict of interest.

A Symbiotic Relationship

The CISO relies on the CIO’s team to do the hands-on implementation of security policies and system configuration. Any negative report to the executive committee or the board can be perceived as criticising the CIO – who, unlike the CISO, is probably a senior executive and potentially even a board member. As Renee Broadbent puts it in a blog article: “Since the CISO’s role is to ensure security compliance, they must be able to function independently to create fair and objective risk assessments and recommendations. If a CISO reports directly to a CIO, pressure could be placed on the CISO to lessen security to fit the needs of the technology processes”.

Understanding Current Reporting Lines

Instead of musing on why the CISO reports to the CIO, let us instead ask: why does the CIO not report to the CISO?

We’ll pause here for a moment, because everyone reading this is now thinking of their own situation and wondering what it would be like to swap places with their boss. If we think about it, the idea has a lot of upsides.

First, it probably puts the CISO on the executive team, one step away from the CEO, which can only be a good thing. One could, of course, argue that in the traditional model the CIO is a useful bridge between jargon-speaking security people and business-speaking CEOs, but this a stereotype, not an argument. After all, just because CISOs are often two or more steps removed from the top in the organisation chart, many of us nonetheless find ourselves in executive committee and board meetings presenting to senior management, so we still have to learn how to communicate to that audience – just like the Chief Marketing Officer (CMO) has to avoid marketing-speak, the CFO must not get financially technical and the CIO must avoid presenting in ones and zeroes. Put simply, an effective CISO doesn’t need a translator any more than anyone else in the room.

Second, it completely re-frames the dynamic about how the IT department works. Notwithstanding that the CISO is about information security, not just IT security, the fact remains that most cyber issues are either caused by technology (in this definition we include configuration errors made by human error) or mitigated by technology such as anti-malware, data leakage prevention (DLP) tools, endpoint detection and response (EDR), security information and event management (SIEM), security orchestration, automation, and response (SOAR), the list goes on. All of a sudden, the CISO is able to prioritise the IT team to ensure that the required levels of defence are implemented, monitored and managed, and the CIO is there to lead the team that makes it happen. This flips on its head the classic problem of the CISO needing to cajole and persuade the CIO to prioritise some cyber work over the latest non-critical technology project.

This second concept is a two-edged sword, though: the CISO gets the power they need to do what is required, but with it comes the accountability of achieving it. The “risks” section in the board report that says: “capacity issues in the IT team may impact the ability to delivery cyber solutions” simply goes away, because the CISO now has both: (a) the power to prioritise cyber; and (b) full accountability if they fail to do so effectively.

The third benefit is that it sends a message. Yes, having the CISO report into the CEO alongside the CIO can bring positive perceptions that the company is taking security seriously, but making the CISO the head of all IT metaphorically shouts it from the rooftops. It says: we value our CISO and what they do, and we just gave them all the tools needed to make it happen.

Non-Standard Thinking

There is a wider message that can be sent, too: we are an organization that thinks how things should be structured and isn’t afraid to be a bit unusual. We can think of organisations where the risk function sits under the CFO, for example, rather than there being a Chief Risk Officer (CRO), and where the CRO is a full board member but the CFO is not. We also know a large business that recently moved its CIO alongside the CISO under the global risk and security head – not quite the CIO reporting into the CISO but both at least answering directly to the person whose head is on the block for risk- and security-related issues. The latter is a relatively recent move, and we will watch with interest how things transpire.

One of the most watched TED talks of all time is entitled “Do schools kill creativity” , and given by the late Sir Ken Robinson. As an educationalist, Sir Ken was a huge proponent of being a little different in schools and breaking the traditional hierarchy of mathematics and languages being the most important subjects to study, with drama and dance at the bottom of the ladder. He said that: “in pretty much every system … there's a hierarchy within the arts. Art and music are normally given a higher status in schools than drama and dance. There isn't an education system on the planet that teaches dance every day to children the way we teach them mathematics. Why? Why not? I think this is rather important”.

As for changing things about and making the CIO report to the CISO: why? Why not?

Sources:

  1. https://istari-global.com/insights/spotlight/2023-global-chief-information-security-officer-survey/
  2. https://securityintelligence.com/articles/who-should-ciso-report-to/
  3. https://www.linkedin.com/pulse/should-ciso-report-cio-shaun-marion/
  4. https://blogs.cisco.com/security/should-the-ciso-report-to-the-cio
  5. https://www.ted.com/talks/sir_ken_robinson_do_schools_kill_creativity?subtitle=en