When the CISO doesn’t report at the right level of an organization, misalignment between security, IT, the business, and the larger public ecosystems it serves will surely result. Such misalignment often leads to dire consequences, increasing the chance of breaches whose average cost – according to surveys – can run north of $4 million.
Another survey from 2019 found that 38% of the Fortune 500 didn’t have a CISO and fewer than 4% of those who did listed the CISO on their company’s leadership pages. And many of the others are likely using a “basic structure” shown in the figure above. Are they right or wrong? Let’s see. I’ve adapted the following discussion from my upcoming book Rational Cybersecurity for Business, Chapter 3, “Put the Right Security Governance Model in Place.”
When Should a Business Actually Have a CISO?
Use of the “CISO” title sets an expectation that the security leader can represent the security program to the Board of Directors, external regulators, and other stakeholders as well as sit in on top business and IT leader meetings as a peer. Where the CISO reports in the business hierarchy is also an indicator of whether he or she is empowered to drive a cybersecurity program. This leads to my first “stake in the ground” position (#7 of our 50 keys to business alignment).
Caveat on “CISO” title: The person in the CISO role must have sufficient managerial, technical, risk management experience as well as strong communication skills. Getting someone with these qualifications is expensive. But for an organization of a certain size in financial services, health care, or other vertical industries under security pressure NOT having a CISO with strong qualifications will (sooner or later) be even more expensive.
CISO Reporting Options
In my experience most CISOs (or heads of security by whatever title) report to the CIO (or head of IT). Strong arguments can be made that this is a good thing, for if the CISO is responsible for IT security, shouldn’t the position associate closely with IT? However, many security experts argue against putting the CISO too low in the organization chart, or against creating a potential conflict of interest between security and a CIO. After all, CIO performance objectives such as application time to market may run counter to security.
Experts with this view advocate having the CISO report to a senior executive outside of IT – such as the Chief Risk Officer (CRO) or CEO (aka CXO).
For the purposes of rational cybersecurity, there isn’t one right answer. Suppose the Board considers this question: “What’s more important for our Cybersecurity? Operational effectiveness and Security-to-IT alignment, or strengthening security by making it an independent function?” Directors of highly regulated organizations tend to have more separation of duty requirements and prefer CXO reporting, whereas organizations under less security pressure are more likely to choose CIO reporting. Depending on the business’s cybersecurity maturity level, management style, and executive personalities either reporting structure can work, with caveats.
CISO – CIO Reporting Structure Caveats
In most organizations where the CISO is directly responsible for conducting or overseeing IT security operations, one of the Rational Cybersecurity project’s CISO contributors observed: “As the CISO, it is critical to be no more than one level removed from the Board (or CEO) and to have my name on the security section of the Corporate Board Reports.” Without that visibility, and the opportunity to present important security initiatives and budgets to executives, the CISO position might be too weak to conform to the expectations created internally and externally by using the “CISO” title.
Also, note that empowering an independent internal audit function, whether or not it is required by regulations, can help provide a check and balance on the CIO even though the CISO reports to IT.
CXO Reporting Structure Caveat
If a business places the CISO function outside IT, bear in mind that IT staff may consequently be responsible for more of the security operations. A dotted line reporting arrangement could be set up between these staff and the CISO provided the maturity in governance and awareness exists to enable such matrixed functions to work well. More than one security or business leader I spoke to in almost 60 interviews while writing the book agreed that this could be the right arrangement but requires maturity. The figure below depicts complex matrix governance in a large multinational corporation. The many dotted line relationships in the figure reflect the maturity required to run well-articulated matrix governance.
Change is the Only Constant
More than one CISO I interviewed noted that the optimal CISO reporting structure depends on hard-to-quantify management style factors. And, these factors change frequently.
Bottom Line
Where the CISO should report is one of those many questions requiring the consultant’s answer: “It depends.” But don’t let that be the end of the discussion because for any one business there is one right answer. And in the harsh world of digital business cybersecurity, it is a question that management must answer correctly.