As cybersecurity risk management has ascended to become a top strategic priority, where the Chief Information Security Officer (CISO) sits within the leadership team has become a major question.
It is fair to say that there is no one-size-fits-all answer. Organisations need to weigh up the advantages and disadvantages of several models and see which one suits them best.
Here’s some of the current options:
Option #1: Reporting to the CIO
It has been traditional for the CISO to report to the chief information officer (CIO). Indeed, this tends to be the most common arrangement today. This line of reporting model has made a great deal of sense since the CIO is the member of the business leadership team who should best understand cybersecurity and the CISO role was created to secure IT systems and data.
However, this model may be losing its relevancy as CISOs begin to see how much they need to influence and exert control outside of the IT realm. For example, they must consider employee cyber awareness and education, policy development and even programmes of cultural change. Technological solutions cannot remedy the whole issue when the biggest vulnerabilities are the humans inside the organisation.
CIOs also have competing priorities that may conflict with a CISO’s cybersecurity agenda. For example, budget for application development, infrastructure and networking may take precedence over what the CISO may prioritise for their team and organisation as a whole.
Option #2: Reporting to the CRO
A recent trend has been to see the CISO working under the chief risk officer (CRO), especially within financial services and larger corporates.
Organisations who rely on greater insight into enterprise risks are recognising that their risk management team needs to cover cyber risks much more thoroughly and proactively. The CISO then is a natural member of the risk team.
A downside of this model is that the CRO doesn’t tend to report to the CEO so this reporting structure can further distance CISOs from top executives and company strategy.
Option #3: Reporting to the CFO
Companies collect all kinds of functions under finance—IT, risk management, procurement, tax, audit. So, it is no unusual to place the CISO there as well.
Having the chief financial officer (CFO)as their boss puts the CISO in direct contact with the financial power on the board. CFOs who are sensitive to risk management may make critical decisions about cybersecurity spending. They also can be the CEO heir apparent.
The downside is that many CFOs want to see returns particularly if they are incentivised on year-over-year earnings growth. This can be challenging for CISOs who may find it difficult to present the financial benefits of cybersecurity investments.
Option #4: Reporting to the CDO
The chief data officer (CDO) is a relatively new corporate role often focused on preserving and expanding the value of corporate data, so there is certainly some overlap with the CISO’s role in protecting that data.
However, the CDO tends to see data in ways that clashes with a CISO. A CDO wants to leverage data to increase revenues and can judge a CISO as putting obstacles in the way of making this happen. With their focus on mining data for the business, the ability of a CDO to also support cybersecurity may be limited. Like a CRO a CDO doesn’t necessarily report into the CEO, meaning the CISO remains further removed from strategic decision-making and budget-setting.
Option #5: Reporting to the CLO
A rarer model is for CISO to report into an organisation’s chief legal officer (CLO). This happens when a CEO recognises the critical nature of cybersecurity and its regulatory demands and risks, and deems that chief legal officer is best trusted to deal with these matters.
Legal officers within an organisation handle significant issues related to information governance and compliance and have a good idea about corporate direction since they often serve as board secretaries. They also tend to get involved when there is a cybersecurity incident. Unlike the CEO or even the CFO, an organisation’s legal officer has few other direct reports so a CISO can find themselves a well-regarded adviser.
A drawback of his model is chief legal officers tend to be more engaged in cybersecurity on an episodic basis for example when a breach occurs. They have less interest in cybersecurity as an operational issue to be planned for, monitored and improved.
Option #6: Reporting to the CEO
For a long time, it has been predicted that the CISO would report directly to the CEO; three years ago IDC predicted that 75% of CISOs would do this. However, this reporting model is still the exception rather than the rule. Those organisations that have embraced this approach are typically tech-centric companies or those that have suffered high-profile cyber setbacks and demands a CISO who is a true business leader.
Reporting to the CEO maintains the independence of the CISO role and can enable a fuller, more open discussion with all the senior stakeholders. Yet adding the CISO to the CEOs direct reports runs against a trend of CEOs seeking to reduce rather than increase the number of principals who directly report to them. CEOs want less not more distraction from their focus on strategy an operational leadership.
This perhaps explains why those predictions of CISOs reporting to CEOs haven’t yet been realised. Many CEOs actually may prefer their CISO reporting into the CIO who can then filter out relevant information.
Option #7: Reporting to the Board
An alternative few companies have considered but is worth exploring is having the CISO report directly to the board of directors or one of its committees.
The board’s prime responsibility is to supervise management. As organisations become more digital the board needs to know the unvarnished truth of an organisation’s cyber performance. A CISO who directly reports to the board can facilitate the process of exchanging critical information that isn’t sanitised. These sessions also could allow the board to get discrete cyber information outside of the main board meetings when their attention is drowned out by a plethora of other issues. A major challenge with this model is whether the board contains enough knowledge of cybersecurity issues to make this engagement meaningful enough.
Overall there are no wrong or right ways to how the CISO fits into the organisation. What is important is that a CISO’s concerns and recommendations are fully heard and understood. Any reporting model that doesn’t close the gap in a common understanding of cybersecurity from differing technology and business leadership perspectives will not be helpful to anyone, CISO, CRO, CIO, CFO, CEO or anyone else at board level.