Edwin Doyle, Global Cyber Security Evangelist, Check Point Software.

Within your organization, who does the CISO report to? Research shows that the majority of organizations need to carefully assess or reassess the CISO’s reporting relationship. According to the IANS annual CISO Compensation and Budget Survey, nearly 70% of CISOs report to a technical manager. More specifically, 54% of CISOs report to a CIO and 15% report directly to a CTO. Yet, despite the overlap in roles and skillsets between a CIO & CTO, the technical anchor point for the CISO may not be the correct path.

CISO reporting dependencies

CISO reporting structure 2022
Image courtesy of IANS.

The question of ‘who does the CISO report to?’ can be answered by looking at dependencies, levels of ‘ownership’ and the impact of the role. In a bygone era, the CISO primarily dealt with technology functions. The CISO ‘owned’ and impacted security technology, but little else. Now, the CISO owns entire systems of technical tools, and also manages employee education, collaborates with different departments to create organizational policy, focuses on regulatory compliance, and is intimately involved in vendor, partner and client-facing discussions. Additionally, the CISO needs to explain very complicated concepts to executive management and the Board, owning the responsibility of championing the entire organization to adhere to a strict corporate security policy.

The CISO role no longer solely revolves around risk control, but also around value creation. A CISO creates value vis-à-vis strong security management. First-rate security management makes organizations more appealing to all prospective connections. For some organizations, security may be the deciding factor when it comes to selecting a business partner. The bottom line is that the level of impact within this role is substantially higher than in the past.

Does the CISO police their own boss?

Given the breadth and depth of the non-technical responsibilities conferred upon the contemporary CISO, it’s little wonder that a CISO seems to have ‘outgrown’ a technical manager. In addition, a technical manager may also be competing with the CISO for organizational resources; a phenomena that has been documented extensively.

A case can be argued that a technical manager also works within risk, therefore a CISO should report to this type of person. If systems go offline due to misconfigurations, for example, it negatively impacts the organization. But this is a different ‘risk’ factor and one that’s also shared by other leadership within the company, such as the General Council and even facilities management.

An evolution of the CISO role therefore, could be to that of the Chief Security Officer, holding responsibility for both computing and physical security, reporting to the CEO. While your organization may not yet formally retain a CSO position, your CISO can be perceived as one. Consider restructuring reporting accordingly.

Executive-level reporting

Having a CISO report to the CEO may prove effective for some organizations. However, it may not prove effective for all. Both CISOs and CEOs need to maintain a clear understanding of risk, of risk tolerance, of how the business operates, and top business objectives. Adding learning, analysis and responsibilities to a CEO’s agenda isn’t always practicable.

In that case, should a CISO report to a COO or General Council? If your organization pursues this model, ensuring that the CTO and CIO also report to the same management may be a best practice, as it enables everyone to remain on equal footing in regards to budgetary allocation and opportunities.

In some organizations, the CISO reports to the VP of Information Systems, the CFO, or the CRO with the COO or CEO serving as a dotted line manager. So, who does the CISO report to? Or need to report to?

Ideal reporting structure

The perfect reporting model has not yet emerged. Nonetheless, because the caliber of cyber security governance determines business sustainability, growth and continuity, many believe that the CISO should report in to high-level business executives.

For more CISO insights, see CyberTalk.org’s past coverage. This is the third in a four part series on the evolution of the CISO role and I encourage feedback through my LinkedIn platform, so find me here. Lastly, to receive cutting-edge cyber security news, exclusive interviews, expert analyses and security resources, please sign up for the CyberTalk.org newsletter.