January 9, 2018 By Christophe Veltsos 4 min read

In early 2016, boards were starting to take cybersecurity more seriously and, in the process, increasing their interactions with chief information security officers (CISOs). How much has changed in the past two years? To whom do CISOs report today, and why does it matter?

The State of the Security Org Chart in 2018

In the latest edition of its “Global State of Information Security Survey,” PricewaterhouseCoopers (PwC) found that 40 percent of CISOs, chief security officers (CSOs) or other equivalent information security executives report to CEOs, while 27 percent report to board directors, 24 percent report to a chief information officers (CIO), 17 percent report to a CSO and 15 percent report to a chief privacy officer (CPO). Since PwC’s numbers add up to more than 100 percent and the actual survey questions aren’t provided, these numbers likely include dotted lines of reporting in addition to direct reports.

In contrast to the PwC survey, a Ponemon report titled “The Evolving Role of CISOs and Their Importance to the Business” found that, while 60 percent of CISOs have a direct channel to the CEO in case of serious cyber incidents, 50 percent still report to the CIO. In addition, 9 percent report to the chief technology officer (CTO), 9 percent to the chief financial officer (CFO), 8 percent to the general counsel, 6 percent to the chief operating officer (COO) and 6 percent to the risk management leader. Only 4 percent indicated that they report to the CEO.

The role of the CISO has matured and grown over the years. According to Barclays CSO Troels Oerting, as quoted in a Spencer Stuart blog post, “The CSO or CISO has a broader role than just to eliminate the threat. It’s also to deal with the crisis and the residual consequences.” As CEOs and board directors adjust their thinking about cybersecurity, the executive to whom the CISO reports makes a world of difference.

Location, Location, Location

As the old real estate adage goes, it’s all about location, location, location. In many ways, this is also true for CISOs. The particular position of the CISO on the security org chart influences the nature and frequency of interactions the security leader will have with other executives. Although CEB, now a part of Gartner, reported that CISO budgets have doubled in the past four years and that two-thirds of CISOs now present to boards at least twice per year, it isn’t always clear whether those interactions constitute true risk management or merely lip service.

There’s a big difference between listening to a presentation and being engaged with a topic. According to ServiceNow’s “Global CISO Study,” 83 percent of CISOs reported that the quality of their collaboration across the organization affects the success of the security program. Meanwhile, only 21 percent of CISOs said that security employees understand the way the organization is structured, the way it functions and the interdependencies across units. These numbers suggest that a CISO positioned lower on the org chart is fighting an uphill battle to improve collaboration with other units and to glean increased visibility into the many ebbs and flows of data across the organization.

In addition, the positioning of the CISO affects the way security projects are prioritized and how security controls are deployed, not to mention the size of the security budget. The net effect of a CISO sitting lower on the org chart is that of reduced visibility, much like blinders on a horse reduce peripheral vision: Instead of a 360-degree view of cyber risks, a marginalized CISO might only have a 90-degree view, along with a smaller budget. However, the Spencer Stuart article noted that while the positioning of the CISO matters, the executive to whom the CISO is accountable is just as important.

Empowering the CISO to Protect the Business

As the many high-profile data breaches of 2017 have proven, the CISO role is critical to help organizations weather both today’s cyberstorms and tomorrow’s emerging threats. A security leader who is empowered with the right visibility, support, accountability and budget — regardless of where he or she sits on the org chart — is best equipped to take on this task.

To ensure that the CISO is so empowered, top leadership must view and treat security as a strategic element of the business. In other words, they must view cyber risks as strategic risks. Internal collaboration with the security function should be supported and strongly encouraged at all levels of the organization.

The CISO should be asked to engage with the board on a regular basis. Board members should seek advice and opinions from the security leader and sometimes even ask him or her to provide a brief educational session. Board directors want to understand why management has chosen a particular course of action and how the effectiveness of that plan will be evaluated. The CPA Journal noted that “in some cases, the CISO functions as a point of contact for technology risk, similar to the role of CFOs in financial statement-related services.”

The security function, and especially the CISO as its leader, should be treated more like a business partner than an auditor — meaning that the various lines of business should engage with security and be forthcoming about the particular cyber risks each faces. The CEB report noted that security “expands engagement beyond IT and becomes embedded in business operations.” Furthermore, the relationship between the security function and IT should be dynamic instead of siloed and offer a checks-and-balances approach to top leadership. IT and security working together to enable and protect the business is just one of the three lines of defense.

Finally, the CISO, C-suite and board should develop an approach to reporting and discussing cyber risks that fits the organization and its risk profile. Metrics, dashboards and cybersecurity reports provide accurate, current and useful information to decision-makers.

Listen to the podcast: If you can’t measure it, you can’t manage it

Integrating the CISO Into the Business

Businesses who position the CISO improperly and fail to provide him or her with adequate support and visibility are sending a signal. If the CISO is buried down in IT, even if reporting directly to the CIO, his or her clout and influence will be greatly diminished. In a not-too-distant future, shareholders may look at such a setup and determine that the organization is inadequately prepared to deal with modern cyber risks.

In this global, hypercompetitive marketplace, few organizations can afford to undervalue their CISO. Perhaps one day we will reach a point where the CIO reports to the CISO. But for now, according to Richard Wildermuth, director of cybersecurity and privacy at PwC, as quoted in CSO Online, “a CISO should report to the role in the organization that allows them the budget and influence necessary to integrate effectively into the business.”

More from CISO

Empowering cybersecurity leadership: Strategies for effective Board engagement

4 min read - With the increased regulation surrounding cyberattacks, more and more executives are seeing these attacks for what they are - serious threats to business operations, profitability and business survivability. But what about the Board of Directors? Are they getting all the information they need? Are they aware of your organization’s cybersecurity initiatives? Do they understand why those initiatives matter? Maybe not. According to Harvard Business Review, only 47% of board members regularly engage with their CISO. There appears to be a…

The evolution of 20 years of cybersecurity awareness

3 min read - Since 2004, the White House and Congress have designated October National Cybersecurity Awareness Month. This year marks the 20th anniversary of this effort to raise awareness about the importance of cybersecurity and online safety. How have cybersecurity and malware evolved over the last two decades? What types of threat management tools surfaced and when? The Cybersecurity Awareness Month themes over the years give us a clue. 2004 - 2009: Inaugural year and beyond This early period emphasized general cybersecurity hygiene,…

C-suite weighs in on generative AI and security

3 min read - Generative AI (GenAI) is poised to deliver significant benefits to enterprises and their ability to readily respond to and effectively defend against cyber threats. But AI that is not itself secured may introduce a whole new set of threats to businesses. Today IBM’s Institute for Business Value published “The CEO's guide to generative AI: Cybersecurity," part of a larger series providing guidance for senior leaders planning to adopt generative AI models and tools. The materials highlight key considerations for CEOs…

Bringing threat intelligence and adversary insights to the forefront: X-Force Research Hub

3 min read - Today defenders are dealing with both a threat landscape that’s constantly changing and attacks that have stood the test of time. Innovation and best practices co-exist in the criminal world, and one mustn’t distract us from the other. IBM X-Force is continuously observing new attack vectors and novel malware in the wild, as adversaries seek to evade detection innovations. But we also know that tried and true tactics — from phishing and exploiting known vulnerabilities to using compromised credentials and…

Topic updates

Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today