January 9, 2018 By Christophe Veltsos 4 min read

In early 2016, boards were starting to take cybersecurity more seriously and, in the process, increasing their interactions with chief information security officers (CISOs). How much has changed in the past two years? To whom do CISOs report today, and why does it matter?

The State of the Security Org Chart in 2018

In the latest edition of its “Global State of Information Security Survey,” PricewaterhouseCoopers (PwC) found that 40 percent of CISOs, chief security officers (CSOs) or other equivalent information security executives report to CEOs, while 27 percent report to board directors, 24 percent report to a chief information officers (CIO), 17 percent report to a CSO and 15 percent report to a chief privacy officer (CPO). Since PwC’s numbers add up to more than 100 percent and the actual survey questions aren’t provided, these numbers likely include dotted lines of reporting in addition to direct reports.

In contrast to the PwC survey, a Ponemon report titled “The Evolving Role of CISOs and Their Importance to the Business” found that, while 60 percent of CISOs have a direct channel to the CEO in case of serious cyber incidents, 50 percent still report to the CIO. In addition, 9 percent report to the chief technology officer (CTO), 9 percent to the chief financial officer (CFO), 8 percent to the general counsel, 6 percent to the chief operating officer (COO) and 6 percent to the risk management leader. Only 4 percent indicated that they report to the CEO.

The role of the CISO has matured and grown over the years. According to Barclays CSO Troels Oerting, as quoted in a Spencer Stuart blog post, “The CSO or CISO has a broader role than just to eliminate the threat. It’s also to deal with the crisis and the residual consequences.” As CEOs and board directors adjust their thinking about cybersecurity, the executive to whom the CISO reports makes a world of difference.

Location, Location, Location

As the old real estate adage goes, it’s all about location, location, location. In many ways, this is also true for CISOs. The particular position of the CISO on the security org chart influences the nature and frequency of interactions the security leader will have with other executives. Although CEB, now a part of Gartner, reported that CISO budgets have doubled in the past four years and that two-thirds of CISOs now present to boards at least twice per year, it isn’t always clear whether those interactions constitute true risk management or merely lip service.

There’s a big difference between listening to a presentation and being engaged with a topic. According to ServiceNow’s “Global CISO Study,” 83 percent of CISOs reported that the quality of their collaboration across the organization affects the success of the security program. Meanwhile, only 21 percent of CISOs said that security employees understand the way the organization is structured, the way it functions and the interdependencies across units. These numbers suggest that a CISO positioned lower on the org chart is fighting an uphill battle to improve collaboration with other units and to glean increased visibility into the many ebbs and flows of data across the organization.

In addition, the positioning of the CISO affects the way security projects are prioritized and how security controls are deployed, not to mention the size of the security budget. The net effect of a CISO sitting lower on the org chart is that of reduced visibility, much like blinders on a horse reduce peripheral vision: Instead of a 360-degree view of cyber risks, a marginalized CISO might only have a 90-degree view, along with a smaller budget. However, the Spencer Stuart article noted that while the positioning of the CISO matters, the executive to whom the CISO is accountable is just as important.

Empowering the CISO to Protect the Business

As the many high-profile data breaches of 2017 have proven, the CISO role is critical to help organizations weather both today’s cyberstorms and tomorrow’s emerging threats. A security leader who is empowered with the right visibility, support, accountability and budget — regardless of where he or she sits on the org chart — is best equipped to take on this task.

To ensure that the CISO is so empowered, top leadership must view and treat security as a strategic element of the business. In other words, they must view cyber risks as strategic risks. Internal collaboration with the security function should be supported and strongly encouraged at all levels of the organization.

The CISO should be asked to engage with the board on a regular basis. Board members should seek advice and opinions from the security leader and sometimes even ask him or her to provide a brief educational session. Board directors want to understand why management has chosen a particular course of action and how the effectiveness of that plan will be evaluated. The CPA Journal noted that “in some cases, the CISO functions as a point of contact for technology risk, similar to the role of CFOs in financial statement-related services.”

The security function, and especially the CISO as its leader, should be treated more like a business partner than an auditor — meaning that the various lines of business should engage with security and be forthcoming about the particular cyber risks each faces. The CEB report noted that security “expands engagement beyond IT and becomes embedded in business operations.” Furthermore, the relationship between the security function and IT should be dynamic instead of siloed and offer a checks-and-balances approach to top leadership. IT and security working together to enable and protect the business is just one of the three lines of defense.

Finally, the CISO, C-suite and board should develop an approach to reporting and discussing cyber risks that fits the organization and its risk profile. Metrics, dashboards and cybersecurity reports provide accurate, current and useful information to decision-makers.

Listen to the podcast: If you can’t measure it, you can’t manage it

Integrating the CISO Into the Business

Businesses who position the CISO improperly and fail to provide him or her with adequate support and visibility are sending a signal. If the CISO is buried down in IT, even if reporting directly to the CIO, his or her clout and influence will be greatly diminished. In a not-too-distant future, shareholders may look at such a setup and determine that the organization is inadequately prepared to deal with modern cyber risks.

In this global, hypercompetitive marketplace, few organizations can afford to undervalue their CISO. Perhaps one day we will reach a point where the CIO reports to the CISO. But for now, according to Richard Wildermuth, director of cybersecurity and privacy at PwC, as quoted in CSO Online, “a CISO should report to the role in the organization that allows them the budget and influence necessary to integrate effectively into the business.”

More from CISO

X-Force Threat Intelligence Index 2024 reveals stolen credentials as top risk, with AI attacks on the horizon

4 min read - Every year, IBM X-Force analysts assess the data collected across all our security disciplines to create the IBM X-Force Threat Intelligence Index, our annual report that plots changes in the cyber threat landscape to reveal trends and help clients proactively put security measures in place. Among the many noteworthy findings in the 2024 edition of the X-Force report, three major trends stand out that we’re advising security professionals and CISOs to observe: A sharp increase in abuse of valid accounts…

Boardroom cyber expertise comes under scrutiny

3 min read - Why are companies concerned about cybersecurity? Some of the main drivers are data protection, compliance, risk management and ensuring business continuity. None of these are minor issues. Then why do board members frequently keep their distance when it comes to cyber concerns?A report released last year showed that just 5% of CISOs reported directly to the CEO. This was actually down from 8% in 2022 and 11% in 2021. But even if board members don’t want to get too close…

The CISO’s guide to accelerating quantum-safe readiness

3 min read - Quantum computing presents both opportunities and challenges for the modern enterprise. While quantum computers are expected to help solve some of the world’s most complex problems, they also pose a risk to traditional cryptographic systems, particularly public-key encryption. To ensure their organization’s data remains secure now and in the future, chief information security officers (CISOs) should educate themselves about quantum computing, proactively address the coming quantum risks to cybersecurity and work to establish cryptographic agility in their enterprise.A future cryptographically…

Topic updates

Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today