Does it matter who the CISO reports to?

March 17, 2020 | 8 min read | Security Posture

With cybersecurity becoming a strategic imperative for the modern enterprise, companies committed to staying ahead of cyber threats highly value the role of the CISO. In such organizations, cybersecurity is viewed as an enabler to the business rather than a cost of doing business. While the CIO is tasked with leading and delivering on the overall technology strategy for the organization, the CISO is a seasoned cybersecurity specialist responsible for keeping a laser focus on enterprise security across networks, applications, data, devices, users, and systems.

Some CISOs directly report to the CIO with a dotted line to the CEO, whereas others report directly to the CEO. In many cases, the CISO is responsible for cyber risk reporting to the board of directors.

Reporting charts are typically seen as lines on an org chart, but in reality, it goes beyond that. Reporting relationships also represent the flow and direction of authority so who the CISO reports to in an organization greatly impacts his or her ability to perform, requisition budget, and get a direct line to the C-suite table.

“2019 State of the CIO survey found that 23% of CISOs reported to the CEO, while nearly 45% reported into a CIO.” 

A healthy debate

In a recent LinkedIn post, Yaron Levi, CISO at Blue Cross and Blue Shield of Kansas City, kicked off a spirited conversation around this very topic when he asked, “Who should the CISO report to?” To date, he’s gotten over 100 comments. Here are some of the highlights.

  • Whether there is a CSO, a CISO, or both, the reporting structure will depend on the organization.
  • Whoever reports directly to the CEO will need to be able to combine technical expertise with strong competencies in business, leadership, and communications.
  • Whether the CISO reports to the CEO or the CIO, the CISO should have a direct line to the CEO and these two should spend meaningful 1:1 time together.

Catherine Salemi, VP at Encryptics

Organizations need to understand that the fundamentals of business operations are changing, and data is the new currency. As such, the commitment to security should come from the very top of the organization (board and CEO).

Jamil Farschi, CISO at Equifax

I agree there is no one size fits all. I think that regardless of the reporting structure, the CISO should always have a direct line of communication to the board and the CEO, and should be empowered by them to advise and guide all levels on matters of cybersecurity risk.

Einat Meyron, Cyber Resilience and IR Consultant

I guess we can agree that CISOs need to start paying attention to the C in their title and act accordingly; otherwise, they will always be “that person who understands computers” and not the person you address to talk about strategy and insights.

Skip Mann, CSO|CISO|CRO at Lenovo Security

Until senior information security execs, regardless of where they are in the organizational structure, can present appropriate, simple, and understandable risk management decisions to boards of directors, security will be perceived as a drain on the bottom line and not an enabler for the business. When information security execs show, through metrics, how their programs protect value, the perception will start to change.

Eli Migdal, CEO of TowerWatch Solutions

We can’t expect the CEO to understand the security threat and risk. Threat and risk analysis is the CISO’s job and expertise. We do expect the CEO to understand the COST of the THREAT and the COST of the RISK, which means we need to speak in financial terms.

Scott Scanton, InfoSec Leader at Owens & Minor

To tie back to the original question, many CEOs implicitly gauge the relative cyber risk to be low, and thus place the CISO lower in the org. Demonstrating that this risk is more material than perceived will help elevate the role.

Mickey Bresman, CEO at Sempris

Two approaches that make a lot of sense (to me): (1) If the CISO is NOT reporting to the CIO, then the CISO can push back and demand more security measures (think of a tight deadline and shortcuts that might come instead of a more secured environment). (b) If the CISO reports to the CIO, then the security responsibility becomes mutual.

Yaron Levi, CISO at Blue Cross and Blue Shield of Kansas City

As an industry, we need to develop people who speak both languages and can bridge between the technical side and the business side. It all starts with risk assessment and threat modeling. CISOs must start there and advise the business leadership on the risk to the business from a security perspective.

Final thoughts

After reading through all perspectives shared on this lively thread, it is clear that deciding upon a proper reporting structure for the CISO is not a one-size-fits-all approach. It requires an understanding of both the organization’s security objectives as well as the leadership’s perspective on security. The security maturity of the organization is also a critical factor.

But one aspect comes through loud and clear. As CISOs enact a critical role in the organization and in the C-suite, it is important to choose a reporting structure that gives them the executive access they need to successfully inspire and lead others across the organization to transform cybersecurity posture.

Feel free to jump into the conversation and add your unique insights. This topic is definitely worth wrestling with.

Related Posts

5 Steps for CISOs to Build Cyber-Resilience
6 Challenges New CISOs Face in Assessing Breach Risk
An open conversation about cyber-risk reporting to the BOD