January 9, 2018 By Christophe Veltsos 4 min read

In early 2016, boards were starting to take cybersecurity more seriously and, in the process, increasing their interactions with chief information security officers (CISOs). How much has changed in the past two years? To whom do CISOs report today, and why does it matter?

The State of the Security Org Chart in 2018

In the latest edition of its “Global State of Information Security Survey,” PricewaterhouseCoopers (PwC) found that 40 percent of CISOs, chief security officers (CSOs) or other equivalent information security executives report to CEOs, while 27 percent report to board directors, 24 percent report to a chief information officers (CIO), 17 percent report to a CSO and 15 percent report to a chief privacy officer (CPO). Since PwC’s numbers add up to more than 100 percent and the actual survey questions aren’t provided, these numbers likely include dotted lines of reporting in addition to direct reports.

In contrast to the PwC survey, a Ponemon report titled “The Evolving Role of CISOs and Their Importance to the Business” found that, while 60 percent of CISOs have a direct channel to the CEO in case of serious cyber incidents, 50 percent still report to the CIO. In addition, 9 percent report to the chief technology officer (CTO), 9 percent to the chief financial officer (CFO), 8 percent to the general counsel, 6 percent to the chief operating officer (COO) and 6 percent to the risk management leader. Only 4 percent indicated that they report to the CEO.

The role of the CISO has matured and grown over the years. According to Barclays CSO Troels Oerting, as quoted in a Spencer Stuart blog post, “The CSO or CISO has a broader role than just to eliminate the threat. It’s also to deal with the crisis and the residual consequences.” As CEOs and board directors adjust their thinking about cybersecurity, the executive to whom the CISO reports makes a world of difference.

Location, Location, Location

As the old real estate adage goes, it’s all about location, location, location. In many ways, this is also true for CISOs. The particular position of the CISO on the security org chart influences the nature and frequency of interactions the security leader will have with other executives. Although CEB, now a part of Gartner, reported that CISO budgets have doubled in the past four years and that two-thirds of CISOs now present to boards at least twice per year, it isn’t always clear whether those interactions constitute true risk management or merely lip service.

There’s a big difference between listening to a presentation and being engaged with a topic. According to ServiceNow’s “Global CISO Study,” 83 percent of CISOs reported that the quality of their collaboration across the organization affects the success of the security program. Meanwhile, only 21 percent of CISOs said that security employees understand the way the organization is structured, the way it functions and the interdependencies across units. These numbers suggest that a CISO positioned lower on the org chart is fighting an uphill battle to improve collaboration with other units and to glean increased visibility into the many ebbs and flows of data across the organization.

In addition, the positioning of the CISO affects the way security projects are prioritized and how security controls are deployed, not to mention the size of the security budget. The net effect of a CISO sitting lower on the org chart is that of reduced visibility, much like blinders on a horse reduce peripheral vision: Instead of a 360-degree view of cyber risks, a marginalized CISO might only have a 90-degree view, along with a smaller budget. However, the Spencer Stuart article noted that while the positioning of the CISO matters, the executive to whom the CISO is accountable is just as important.

Empowering the CISO to Protect the Business

As the many high-profile data breaches of 2017 have proven, the CISO role is critical to help organizations weather both today’s cyberstorms and tomorrow’s emerging threats. A security leader who is empowered with the right visibility, support, accountability and budget — regardless of where he or she sits on the org chart — is best equipped to take on this task.

To ensure that the CISO is so empowered, top leadership must view and treat security as a strategic element of the business. In other words, they must view cyber risks as strategic risks. Internal collaboration with the security function should be supported and strongly encouraged at all levels of the organization.

The CISO should be asked to engage with the board on a regular basis. Board members should seek advice and opinions from the security leader and sometimes even ask him or her to provide a brief educational session. Board directors want to understand why management has chosen a particular course of action and how the effectiveness of that plan will be evaluated. The CPA Journal noted that “in some cases, the CISO functions as a point of contact for technology risk, similar to the role of CFOs in financial statement-related services.”

The security function, and especially the CISO as its leader, should be treated more like a business partner than an auditor — meaning that the various lines of business should engage with security and be forthcoming about the particular cyber risks each faces. The CEB report noted that security “expands engagement beyond IT and becomes embedded in business operations.” Furthermore, the relationship between the security function and IT should be dynamic instead of siloed and offer a checks-and-balances approach to top leadership. IT and security working together to enable and protect the business is just one of the three lines of defense.

Finally, the CISO, C-suite and board should develop an approach to reporting and discussing cyber risks that fits the organization and its risk profile. Metrics, dashboards and cybersecurity reports provide accurate, current and useful information to decision-makers.

Listen to the podcast: If you can’t measure it, you can’t manage it

Integrating the CISO Into the Business

Businesses who position the CISO improperly and fail to provide him or her with adequate support and visibility are sending a signal. If the CISO is buried down in IT, even if reporting directly to the CIO, his or her clout and influence will be greatly diminished. In a not-too-distant future, shareholders may look at such a setup and determine that the organization is inadequately prepared to deal with modern cyber risks.

In this global, hypercompetitive marketplace, few organizations can afford to undervalue their CISO. Perhaps one day we will reach a point where the CIO reports to the CISO. But for now, according to Richard Wildermuth, director of cybersecurity and privacy at PwC, as quoted in CSO Online, “a CISO should report to the role in the organization that allows them the budget and influence necessary to integrate effectively into the business.”

More from CISO

Making smart cybersecurity spending decisions in 2025

4 min read - December is a month of numbers, from holiday countdowns to RSVPs for parties. But for business leaders, the most important numbers this month are the budget numbers for 2025. With cybersecurity a top focus for many businesses in 2025, it is likely to be a top-line item on many budgets heading into the New Year.Gartner expects that cybersecurity spending is expected to increase 15% in 2025, from $183.9 billion to $212 billion. Security services lead the way for the segment…

On holiday: Most important policies for reduced staff

4 min read - On Christmas Eve, 2023, the Ohio State Lottery had to shut down some of its systems because of a cyberattack. Around the same time, the Dark Web had a “Leaksmas” event, where cyber criminals shared stolen information for free as a holiday gift. In fact, the month of December 2023 saw more than 2 billion records breached and 1,351 disclosed security incidents, according to research from IT Governance — an increase of 332% and 187%, respectively, over the month of…

Overheard at RSA Conference 2024: Top trends cybersecurity experts are talking about

4 min read - At a brunch roundtable, one of the many informal events held during the RSA Conference 2024 (RSAC), the conversation turned to the most popular trends and themes at this year’s events. There was no disagreement in what people presenting sessions or companies on the Expo show floor were talking about: RSAC 2024 is all about artificial intelligence (or as one CISO said, “It’s not RSAC; it’s RSAI”). The chatter around AI shouldn’t have been a surprise to anyone who attended…

Topic updates

Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today