March 1, 2016 By Christophe Veltsos 4 min read

To whom CISOs report and what access and influence they have are as important as their qualifications and experience. The role must be senior enough for the CISO to gain the respect of C-level executives and the board.”The Wall Street Journal

There’s a good reason why Fast Company called the job of chief information security officer (CISO) the “hottest seat in corporate America today.” One way to interpret hot seat is as a good thing. “Security and risk management must become part of every business decision, and nobody within the enterprise is better positioned to advocate for those issues than the CISO,” Fast Company noted.

However, the other way to interpret the term recognizes the difficult situation in which CISOs find themselves, particularly when it comes to whom they report to and how they can make their voices heard.

Most CISOs Still Report to CIOs, but for How Long?

A Dark Reading article by K logix CEO Kevin West reported that 50 percent of CISOs in one survey predicted they would be reporting to the CEO in the near future. However, the current reality for the same people surveyed is that 50 percent currently report to the CIO, 15 percent to the CEO and the rest to the COO or a risk leader.

A positive development from the K logix study is that 92 percent of the CISOs reported some level of interaction with the board of directors. Yet most also found the relationship to be lopsided and wished for more engaged conversations around risk.

A similar picture was painted in the “Governance of Cybersecurity: 2015 Report” by the Georgia Tech Information Security Center (GTISC). The report noted that “segregation-of-duty issues continue to be a problem in CISO/CIO reporting lines.” It also observed that the numbers are similar to those in its 2010 and 2012 reports: 40 percent of CISOs report to CIOs, 22 percent to the CEO, 8 percent to the CFO and 6 percent to general counsel.

It’s understandable that CIOs and CFOs would not volunteer their own position and that of their subordinates for reorganizing. Why would anyone expect them to approach the board or the rest of the C-suite and say: “I think the CISO should no longer be reporting to me as it is a source of conflict and prevents direct, possibly heated — yet necessary — discussions concerning cyber risks”?

In a piece from The Wall Street Journal, Avivah Litan, a Gartner cybersecurity analyst, said, “The security function needs to be elevated to [the] CEO level to give the organization the check and balance, and integrity, it needs.” This isn’t the first time it’s been noted that security leaders should have a dotted line to the board itself.

Repositioning the role away from reporting to the CIO might be especially important given other changes in the business. A study by Insight UK titled “The Reinvention of the CIO” found that 22 percent of senior directors think most of the technology budget should sit with the board, while 55 percent maintain that the CIO is a level below other C-level management positions.

Additionally, 44 percent felt that the CIO has lost importance in the past two years. If CIOs lose their executive seat status, where does that leave the CISO?

Even the Government Is Getting On Board

A report entitled “Information Security at the Department of Health and Human Services” by the U.S. House of Representatives Committee on Energy and Commerce advocated for relocating the CISO position at the HHS away from the CIO. Instead, it was advised to be under the general counsel at the same level as the CIO.

Justification for this shift included the notion that “the placement of the CISO within the Office of the General or Chief Counsel specifically acknowledges the fact that information security has evolved into a risk-management activity, traditionally the purview of the legal team.”

The report also noted that “organizations are migrating away from the traditional CIO-CISO reporting structure to eliminate the tensions between security and operations that the traditional structure creates. It also removes information security from the IT ‘silo’ and allows experts from across the organization to see and influence information security decisions.”

An Upside-Down World

In what many found to be a surprising announcement, one company flipped the reporting structure upside down. “The CIO at Booz Allen Hamilton actually works for our CISO,” explained Thad Allen, Booz Allen executive vice president, to BankInfoSecurity. “We have elevated the role of security function associated with information to an all-encompassing umbrella, in which we consider all of our systems operations.”

Finding the Right Balance

Cyber risks don’t respect the functional boundaries of the organization. From a cyber perspective, what one side of the enterprise does impacts the cyber risk levels of the entire business. A breach at a single point in the organization’s systems or at a branch office can lead to a massive compromise of the entire network and possibly all the organization’s data.

One of the key recommendations from the GTISC’s report is that boards of directors should “ensure that privacy and security roles within the organization are separated and that responsibilities are appropriately assigned. The CIO, CISO/CSO and CPO should report independently to senior management.”

Similarly, in The Wall Street Journal, one executive indicated his preference is for the CISO to report to the CEO. However, he noted that the best boss for a CISO would be whoever “best champions security throughout the organization.”

Ultimately, CISOs may end up reporting to CEOs, COOs, CFOs, CTOs, CIOs, CROs or general counsel. What matters is the ability to have the ear and the attention of senior management and the board, and to have engaged conversations around cyber risks.

More from Risk Management

Operationalize cyber risk quantification for smart security

4 min read - Organizations constantly face new tactics from cyber criminals who aim to compromise their most valuable assets. Yet despite evolving techniques, many security leaders still rely on subjective terms, such as low, medium and high, to communicate and manage cyber risk. These vague terms do not convey the necessary detail or insight to produce actionable outcomes that accurately identify, measure, manage and communicate cyber risks. As a result, executives and board members remain uninformed and ill-prepared to manage organizational risk effectively.…

The evolution of ransomware: Lessons for the future

5 min read - Ransomware has been part of the cyber crime ecosystem since the late 1980s and remains a major threat in the cyber landscape today. Evolving ransomware attacks are becoming increasingly more sophisticated as threat actors leverage vulnerabilities, social engineering and insider threats. While the future of ransomware is full of unknown threats, we can look to the past and recent trends to predict the future. 2005 to 2020: A rapidly changing landscape While the first ransomware incident was observed in 1989,…

Defense in depth: Layering your security coverage

2 min read - The more valuable a possession, the more steps you take to protect it. A home, for example, is protected by the lock systems on doors and windows, but the valuable or sensitive items that a criminal might steal are stored with even more security — in a locked filing cabinet or a safe. This provides layers of protection for the things you really don’t want a thief to get their hands on. You tailor each item’s protection accordingly, depending on…

The evolution of 20 years of cybersecurity awareness

3 min read - Since 2004, the White House and Congress have designated October National Cybersecurity Awareness Month. This year marks the 20th anniversary of this effort to raise awareness about the importance of cybersecurity and online safety. How have cybersecurity and malware evolved over the last two decades? What types of threat management tools surfaced and when? The Cybersecurity Awareness Month themes over the years give us a clue. 2004 - 2009: Inaugural year and beyond This early period emphasized general cybersecurity hygiene,…

Topic updates

Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today