Who should the CISO report to?
John Kirkwood says the answer depends on which of these 3 kinds of CISO your company needs
By John Kirkwood
March 16, 2012 — CSO —
It seems like a simple question. After all, there seems to be little debate about where other C-suite officers should report. While there have been some discussions about the reporting structure for such C-level executives as the chief privacy officer and the chief compliance officer, these are relatively tame compared to the heated debate that I have witnessed and been a part of over the past few years.
The fact that this question is asked at all is an indication of the growing acceptance of the CISO role and function. In 2006, only 22 percent of the more than 7,000 organizations responding to PricewaterhouseCoopers' annual information security survey reported having a CISO or equivalent. By 2011, more than 80 percent of respondents reported having a CISO.
But there remains strong disagreement about to whom the CISO should report. The prevailing recommendation is that the CISO absolutely should not report to the CIO. According to many people who write on this topic, having the CISO report to the IT organization is an inappropriate segregation of duties. However, the fact is that between 40 percent and 60 percent of CISOs do report to the CIO or IT executive, depending on industry. And in some industries there is a clear trend toward this reporting structure.Even if we all agreed that the CISO should not report to the CIO, that does not answer the question. If you ask seven world-class organizations where the CISO should report, you might well get seven world-class answers, each of them vehemently defended by the company that proposed it.
Let's take a step back and take a look at the question from a different perspective. When you are introduced to a doctor, you would probably ask, "What type of doctor are you?" The response will indicate the doctor's specialty, skills, training and experience. And if you were looking for an attorney or accountant, your first question to them would be what type of attorney or accountant they were.
When introduced to a CISO, you can't ask that question. We do not think of there being types of CISOs. The question we tend to ask instead is, "Where do you report?" Who a CISO reports to is a general indicator of the types of duties he or she performs. For example, it's likely that a CISO who reports to legal and compliance won't have security operations responsibilities, but one who reports to the manager of network operations and infrastructure probably will.