Should CISOs join CEOs in the C-suite?

IT executives weigh in on whether information security leaders should report to CEOs or to CIOs. Or whether there should there be a dotted line to both.

board ceo executives table
Thinkstock

C-level executives have titles that begin with “chief.” But that doesn’t mean they all sit in the C-suite, which is reserved for CEOs and a select few others. 

Chief financial officers (CFOs) and chief operating officers (COOs) are the most common executives in the C-suite. They report to the CEO, attend board meetings, and fly 30,000 feet over their organizations for the big picture. 

Most CIOs, on the other hand, report to CFOs and COOs; they don’t sit in the C-suite. There are other next-generation chief titles that also haven’t crashed the boardroom yet. 

Chief information security officers (CISOs) are a unique C-level breed. Historically, they’ve been two-steps removed from CEOs, reporting to CIOs. But the times are a changin’ for CISOs, and they are starting to receive C-suite invitations. 

If it’s true that cybercrime is the biggest threat to every company in the world, then it explains why CEOs are calling on their CISOs to discuss cyber threats and risks with the board. 

One industry expert explains that there’s a reordering of org charts as it relates to CISOs. 

“Historically, CISOs reported into IT,” says Joseph Steinberg, an Inc. Magazine columnist covering cybersecurity. “Over time, however, as information security became a higher profile risk and its management a more visible function, many organizations transitioned the CISO to report into either the CEO or COO, with a dotted line into IT. While exact reporting structure obviously varies from organization to organization, the general trend of elevating the role of the CISO is likely to continue.” 

What IT executives are saying about CISOs in the C-suite 

Cybersecurity Ventures reached out to its LinkedIn network for feedback on how experienced senior IT and security executives see the CISO reporting structure. As with any new trend, the opinions vary, but there’s a lot of chatter on the topic. 

“A CISO should report to the role in the organization that allows them the budget and influence necessary to integrate effectively into the business,” says Richard Wildermuth, director of cybersecurity and privacy at PwC, a Big 4 auditor and consulting house with experience around best practices for structuring and running global organizations, as well as enterprise information security operations. 

“Often there is an inherent conflict of interest with a CIO running the budget that reduces a CISO’s ability to execute. However, I have yet to see a model that was flawless or inversely that couldn't work when there is support from the board and from the executive leadership team,” he adds. 

To put it another way, CISOs need to be in control of their own purse strings. 

“CIOs don't want to lose control, especially when their departments or divisions are the ones that least adhere to security controls,” says Richard Hudson, vice president of cybersecurity & data protection at Cordium, a global risk management firm, and former CISO at Mizuho Bank. “Any CISO or equivalent in that reporting role to the CIO today is already looking for a new job.” 

The point being, some CISOs don’t want to be the scapegoat for inadequate IT security if it’s not their doing. 

“Chief Risk Officer (CRO) is the other reporting option that is becoming increasingly popular,” says Steven Grossman, vice president of strategy and enablement at Bay Dynamics, an enterprise cyber risk analytics company. “In my opinion, one of the most important aspects of the CISO's reporting line is that his/her perspective does not get altered (watered down) on its way to the CEO and the board.” 

Considering CROs typically don’t report to CEOs, this reporting structure may distance CISOs from top executives. 

“As a CIO, I have no problem with the CISO reporting to the CEO,” says Shawn Riley, CIO at the State of North Dakota and former senior IT executive at Mayo Clinic. “CIOs and CISOs need to be partners, but both have deliverables that should receive CEO attention in today's world.” 

A working partnership between the CIO and the CISO is clearly a successful formula, regardless of who reports to whom.

“CISOs should report to the CEO with further exposure and responsibility to the board of directors,” says Alp Hug, founder and COO at Zenedge, a DDoS and malware protection vendor. “The time has come for boardrooms to consider cybersecurity a key requirement of every organization's core infrastructure along with a financial system, HRMS, CRM, etc., necessary to ensure the livelihood and continuity of the business.”

If a board of directors says defending their organization against cyber crime and cyber warfare is a top priority, then they’ll demonstrate it by inviting their CISO into the boardroom.

“Of course CISOs and equivalents will say they should report to the CEO,” says John Daniels, global vice president at HIMSS Analytics, a wholly owned subsidiary of HIMSS, a leading healthcare research and advisory firm. “That's what CIOs said when that role came about.  There is no single cookie-cutter structure. ... There are many organization-specific factors that come into play (size, resources, etc.). Do what's best for the organization to achieve the risk level acceptable to the organization.” 

Healthcare providers and hospitals are among the most cyber-attacked industries, if not the most. With ransomware attacks on hospitals predicted to quadruple over the next five years, perhaps CISOs reporting directly to CEOs should be the cookie-cutter approach for those organizations. 

Another option: The compliance leader (chief compliance officer, senior vice president of compliance, etc.) should report to the board, and the CISO should report to that compliance officer, says Drex DeFord, a member of the board of directors at CynergisTek, Inc., a leading cybersecurity and information management consulting firm dedicated to serving the healthcare industry. 

“The board needs to understand the unfiltered risk. Some will say: In a perfect world, everyone collaborates well, and the reporting chain doesn’t matter. So, of course, it does out here in the real world,” says DeFord, who previously held CIO positions at Steward Healthcare, Seattle Children’s Hospital, and Scripps Health, and was once CTO at the U.S. Air Force Office of the Surgeon General.

If a board of directors doesn’t understand their organization’s cyber risks, it isn’t likely they’ll approve a large cybersecurity budget.

CISOs play a critical role at Fortune 500, Global 2000, and mid-sized corporations. Don’t be surprised if yours gets a ticket to the next boardroom dance.

Have an opinion on this? Share here for a future story on this topic. 

Visit SteveOnCyber.com to read all of my blogs and articles covering cybersecurity.

Follow me on Twitter @CybersecuritySF, or connect with me on LinkedIn. Send story tips, feedback and suggestions to me here.

NEW! Download the Winter 2018 issue of Security Smart