The role of the Chief Information Security Officer (CISO) within an organization has matured and grown over the last few years. The CISO increasingly has a broader role than just eliminating threats. The role now deals with the risks and the residual consequences in the cybersecurity realm.
The position of the CISO role within the organization chart influences the nature and frequency of interactions that the security leader will have with other executives.
The security function, and especially the CISO as its leader, should be thought of more as a business partner than an auditor — meaning that the various lines of business should engage with security and be forthcoming about the cyber risks that each face. Several reports have noted that security expands engagement beyond IT and becomes embedded in business operations. Furthermore, the relationship between the security function and IT should be dynamic instead of siloed, offering a checks-and-balances approach to leadership.
Businesses who position the CISO improperly and fail to provide him or her with adequate support and visibility are sending a signal. If the CISO is buried down in IT, even if reporting directly to the CIO, his or her influence will be greatly diminished. In a not-too-distant future, government officials may look at such a setup and determine that the organization is inadequately prepared to deal with modern cyber risks. Overall, a mature organization is seen where the CISO reports to the CEO.
In “Is the CISO Reporting Structure Outdated?” from Security Intelligence (you can access the article here), Scott Koegler notes that:
- Cybersecurity affects multiple verticals within an organization, not just IT. For example, a marketing department’s CMO may have differing views and needs as compared to a CIO, and the CISO must take all of those inputs into account.
- CISOs need to lead the discussion on cybersecurity and be able to make independent decisions.
A few additional points to consider as well:
- Security is an issue for the entire company, not just the IT department. A CISO’s job is not to protect IT – a CISO’s job is to protect the business by exposing risk.
- Organizations where CISOs report to CIOs have 14% more downtime due to security incidents, according to a study by PwC.
- Organizations where the CISO reports to the CIO have financial losses that are 46% higher, according to the same PwC research.
- Some regulators are beginning to mandate CISOs report to the CEO – and many more may follow. In Israel, for example, there are laws dictating that CISOs report directly to the CEO.