Where the CISO Should Sit on the Security Org Chart and Why It Matters

In early 2016, boards were starting to take cybersecurity more seriously and, in the process, increasing their interactions with chief information security officers (CISOs). How much has changed in the past two years? To whom do CISOs report today, and why does it matter?

The State of the Security Org Chart in 2018

In the latest edition of its “Global State of Information Security Survey,” PricewaterhouseCoopers (PwC) found that 40 percent of CISOs, chief security officers (CSOs) or other equivalent information security executives report to CEOs, while 27 percent report to board directors, 24 percent report to a chief information officers (CIO), 17 percent report to a CSO and 15 percent report to a chief privacy officer (CPO). Since PwC’s numbers add up to more than 100 percent and the actual survey questions aren’t provided, these numbers likely include dotted lines of reporting in addition to direct reports.

In contrast to the PwC survey, a Ponemon report titled “The Evolving Role of CISOs and Their Importance to the Business” found that, while 60 percent of CISOs have a direct channel to the CEO in case of serious cyber incidents, 50 percent still report to the CIO. In addition, 9 percent report to the chief technology officer (CTO), 9 percent to the chief financial officer (CFO), 8 percent to the general counsel, 6 percent to the chief operating officer (COO) and 6 percent to the risk management leader. Only 4 percent indicated that they report to the CEO.

The role of the CISO has matured and grown over the years. According to Barclays CSO Troels Oerting, as quoted in a Spencer Stuart blog post, “The CSO or CISO has a broader role than just to eliminate the threat. It’s also to deal with the crisis and the residual consequences.” As CEOs and board directors adjust their thinking about cybersecurity, the executive to whom the CISO reports makes a world of difference.

Location, Location, Location

As the old real estate adage goes, it’s all about location, location, location. In many ways, this is also true for CISOs. The particular position of the CISO on the security org chart influences the nature and frequency of interactions the security leader will have with other executives. Although CEB, now a part of Gartner, reported that CISO budgets have doubled in the past four years and that two-thirds of CISOs now present to boards at least twice per year, it isn’t always clear whether those interactions constitute true risk management or merely lip service.

There’s a big difference between listening to a presentation and being engaged with a topic. According to ServiceNow’s “Global CISO Study,” 83 percent of CISOs reported that the quality of their collaboration across the organization affects the success of the security program. Meanwhile, only 21 percent of CISOs said that security employees understand the way the organization is structured, the way it functions and the interdependencies across units. These numbers suggest that a CISO positioned lower on the org chart is fighting an uphill battle to improve collaboration with other units and to glean increased visibility into the many ebbs and flows of data across the organization.

In addition, the positioning of the CISO affects the way security projects are prioritized and how security controls are deployed, not to mention the size of the security budget. The net effect of a CISO sitting lower on the org chart is that of reduced visibility, much like blinders on a horse reduce peripheral vision: Instead of a 360-degree view of cyber risks, a marginalized CISO might only have a 90-degree view, along with a smaller budget. However, the Spencer Stuart article noted that while the positioning of the CISO matters, the executive to whom the CISO is accountable is just as important.

Empowering the CISO to Protect the Business

As the many high-profile data breaches of 2017 have proven, the CISO role is critical to help organizations weather both today’s cyberstorms and tomorrow’s emerging threats. A security leader who is empowered with the right visibility, support, accountability and budget — regardless of where he or she sits on the org chart — is best equipped to take on this task.

To ensure that the CISO is so empowered, top leadership must view and treat security as a strategic element of the business. In other words, they must view cyber risks as strategic risks. Internal collaboration with the security function should be supported and strongly encouraged at all levels of the organization.

The CISO should be asked to engage with the board on a regular basis. Board members should seek advice and opinions from the security leader and sometimes even ask him or her to provide a brief educational session. Board directors want to understand why management has chosen a particular course of action and how the effectiveness of that plan will be evaluated. The CPA Journal noted that “in some cases, the CISO functions as a point of contact for technology risk, similar to the role of CFOs in financial statement-related services.”

The security function, and especially the CISO as its leader, should be treated more like a business partner than an auditor — meaning that the various lines of business should engage with security and be forthcoming about the particular cyber risks each faces. The CEB report noted that security “expands engagement beyond IT and becomes embedded in business operations.” Furthermore, the relationship between the security function and IT should be dynamic instead of siloed and offer a checks-and-balances approach to top leadership. IT and security working together to enable and protect the business is just one of the three lines of defense.

Finally, the CISO, C-suite and board should develop an approach to reporting and discussing cyber risks that fits the organization and its risk profile. Metrics, dashboards and cybersecurity reports provide accurate, current and useful information to decision-makers.

Listen to the podcast: If you can’t measure it, you can’t manage it

Integrating the CISO Into the Business

Businesses who position the CISO improperly and fail to provide him or her with adequate support and visibility are sending a signal. If the CISO is buried down in IT, even if reporting directly to the CIO, his or her clout and influence will be greatly diminished. In a not-too-distant future, shareholders may look at such a setup and determine that the organization is inadequately prepared to deal with modern cyber risks.

In this global, hypercompetitive marketplace, few organizations can afford to undervalue their CISO. Perhaps one day we will reach a point where the CIO reports to the CISO. But for now, according to Richard Wildermuth, director of cybersecurity and privacy at PwC, as quoted in CSO Online, “a CISO should report to the role in the organization that allows them the budget and influence necessary to integrate effectively into the business.”

Christophe Veltsos

InfoSec, Risk, and Privacy Strategist - Minnesota State University, Mankato

Chris Veltsos is a professor in the Department of Computer Information Science at Minnesota State University, Mankato...