CIOs vs. CISOs: Pros and cons of an 'adversarial' relationship

Not many CISOs report to their company CIO these days, and the two often don't see eye to eye. According to some industry practitioners, that's exactly how it should be.

When CSO teamed up with PricewaterhouseCoopers to conduct its Eighth Annual Global Information Security Survey earlier this year, one question asked was who CISOs are reporting to these days. What the majority of respondents said was somewhat surprising.

Of the 12,847 respondents, only 6.5 percent described themselves as a chief information officer. Meanwhile, when CISOs were asked who they report to, most said the company CEO or board of directors. Less than a quarter of respondents said they report to the CIO.

A follow-up column questioned whether that's a good thing. The response to that was more jolting than the surprise over reporting structure.

The majority of the feedback mirrored this observation from Robert Alberti, a Minneapolis-based security and IT professional:

"CIOs and CISOs will always have an adversarial relationship, and that's as it should be," he wrote in the comments section of the column. "In my opinion, CISOs should never report to the CIO."

Related audio: Bill Brenner and 451 Group analyst Josh Corman discuss the differences between CSOs and CISOs

To continue reading this article register now

FREE Download: Get the Spring 2019 digital issue of CSO magazine today!