Where Should the CISO Report in the Organization?
Where the CISO should report is probably one of those questions we security professionals will be asking until the end of eternity. We’ll finesse the subject of titles for the security leader, which also vary, and just get started.
The latest research I’ve seen suggests that in about 50% of the cases the CISO actually reports to the CIO, otherwise, its all over the map.
You might ask: Don’t those organizations with the CISO under the CIO have it right? After all, it is information security under the Chief Information Officer. What part of that don’t you understand?
Having the CISO report into IT can work quite well if security has an adequate mandate and there’s good executive chemistry between the players so that the CISO can stand up for security, the CIO for efficiency, they work it out, and still respect each other the next day. And this minimizes organizational distance between the CISO office and the IT functions it protects.
However, the counterpunch to the “one CIO to rule them all” camp is: Separation of duty (SoD). Suppose a big enterprise application project’s in trouble, the CIO wants to cut corners on security and the CISO’s too scared of the next performance evaluation (under that same CIO) to blow the whistle.
Regarding the other considerations:
- Organization size: A small organization’s CISO is more likely to wear multiple hats, if the position even exists.
- Organization governance maturity: Low maturity organizations are less likely to have a CISO, and it they do, the position is more likely to report into IT. Greater maturity, on the other hand, lends itself to SoD.
- Criticality of IT and/or security: High technology organizations and financial services tend to be more likely to place the CISO position outside IT, either to give it more prominence or promote SoD. With the growth of regulatory concerns, we have detected a slight trend towards more organizations putting the CISO position somewhere outside IT and making it responsible for “policy” and “governance” while leaving “operations” in IT under a separate team.
- IT and OT: In oil/gas or utilities companies with a high quotient of operational technology (OT) separate but to some degree protected by IT, we sometimes see the CISO role positioned in a “neutral” spot between IT and OT.
The structure of the organization can also make a difference, with decentralized organizations having multiple CISOs and/or hierarchies of CISOs. Check out the recording of our recent security governance webinar for a full discussion of structural models.