Editor's note: This article, originally published on June 12, 2018, has been updated to more accurately reflect recent trends.
Companies are increasingly recognizing the importance of having a top-level executive dedicated to security issues. That's one of the big findings of IDG's 2020 Security Priorities Study: 61% of surveyed companies have a security pro in the top ranks, and that rate goes up to 80% for large enterprises. In companies that employ such an executive, they play an important role: the same study found that companies without a CISO, CSO, or other top-level security executive were more likely to say their employee security training was inadequate and their security strategy was insufficiently proactive than those who had such officers.
But not all of these executives sit in the same spot on the org chart, and that can affect institutional culture and security outcomes. Security is a role that inevitably butts heads with others, since a security pro's instincts are to lock down systems and make them harder to access—something that can conflict with IT's job of making information and applications available in a frictionless way. That drama can play out at the top of the org chart as a CISO/CSO vs. CIO battle, and the contours of that fight are often established by the lines of reporting within an organization: if the top security exec reports into the leadership of the IT department, that can constrain the CISO's ability to execute strategically, as their vision ends up being subordinated to IT's larger strategy.
Among the organizations surveyed in the 2020 Security Priorities Study, almost half of security chiefs had a direct connection to the top. In 34% of cases, the top security executive reported to the CEO, and in another 12% they reported to the board of directors. Meanwhile, 33% of the time, the CISO or equivalent reported into a corporate or divisional CIO. The rest were scattered under different silos, reporting to officers like the chief risk officer or general counsel. Perhaps unsurprisingly, smaller companies tended to have flatter organizational arrangements: the study found that 59% of top security execs at SMBs reported to the CEO, whereas that was true at only 22% of large enterprises.
Another interesting, if unsurprising, correlation: security execs who have the ear of top management are more likely to win a larger portion of the IT budget for security purposes. That's clear from the 2019 State of the CIO survey, conducted by our sister site CIO.com. Companies that spent less than 5% of their IT budget on security were equally likely to have their CSOs report to CIOs or CEOs; but at companies that spent 10% or more on security, the CSO was almost twice as likely to report to the CEO. The effect was even more pronounced at companies where the top security title holder was CISO: only 3% of CISOs at companies that spent less than 5% of their IT budget reported to the CEO, but 26% of CISOs at companies that spent more than 10% did.
What's in a title?
Since we've been juggling different titles here, let's talk about them for a moment. There are some broad trends in usage that may seem to distinguish CSOs from CISOs. In general, according to the 2019 State of the CIO research, CSOs tend to be higher up the org chart: At respondent companies where the top security exec has a CSO title, 43% report directly to the CEO; but only 18% of CISOs report to the top. And 9% of survey respondents said their chief infosec executive reported in to someone with a CSO title, indicating that job sometimes included duties beyond IT, most notably physical security.
But there are plenty of exceptions, and for many companies the CSO job is purely technical in scope. Rather than try to draw a hard-and-fast distinction, we'll use "CSO" generically to refer to a top-level security exec, with the assumption that most if not all of their job duties focus on information security. Indeed, many of the experts CSO interviewed for this article use CISO and CSO interchangeably.
Safe in the nest of IT?
Companies as a rule don't start off as giant enterprises: they grow into them, and often their reporting structures are formed in the process of that growth. In relatively new companies, a structure where the CSO reports to the CIO or other head of IT is common, says Edward Marchewka, founder of Chicago Metrics. This is especially true if, as he puts it, "there is a good deal of blocking and tackling still left to do—basic processes like ensuring proper firewall rules or timely application of security patches or even basic inventory of company asserts. It is hard to protect information and devices if you don’t know where it is." Paul Wallenberg, Unit Manager of Technology Recruiting Services at LaSalle Network, says this arrangement works well to give the CIO the full lay of the land in IT, with "comprehensive visibility across all information technology domains rolling up to one central person."
But as a company grows, security can find itself chafing under the CIO umbrella. In particular, a CSO might find that their job doesn't necessarily have the same goals and incentives as the rest of the IT department. Dave Burg, EY Americas Cybersecurity Leader, says that a structure where a CSO reports to a CIO can result in "over-leveraging towards cost management as opposed to risk management." Alexander Yampolskiy, a former CSO who's now CEO of SecurityScorecard, puts it more bluntly: a CIO "is usually rewarded for delivering business projects, which affect revenue. The CISO's job is to fix vulnerabilities—and those security projects will always create tension for resources with revenue-driving projects."
There's also the matter of differing priorities: a CIO has a long list of goals, and if the CSO is under their umbrella, they may find themselves shunted to one side in the quest to complete a big project. Brian Brammeier, CEO of HigherGround Managed Services, describes a scenario he encountered within a company where he consulted. "There was a major security issue that was leaking data. The CIO was notified, but it didn’t get the priority that was needed because he didn’t classify it as a drop-everything-and-fix problem—which it was. The director of security approached the board because of the gravity of the issue, and they changed the reporting structure so that the CISO reported directly to the board.
"When a security issue is discovered, people may be defensive," Brammeier explains. "At onset, it doesn’t matter who’s fault it is; the issue just needs to be resolved." But in the real world, not everyone is so broad-minded, and not every conflict between a CSO and their CIO boss is going to end like the episode Brammeier describes. "Yes, you can inform the board of your disagreement with the direction the CIO is taking," says Kudelski Security's Hicks, "but it typically does not help with your longevity as a CISO."
Getting strategic
Reporting into a CIO can constrain a CSO's ability to execute strategically, says Bil Harmer, CISO at Zscaler. CSOs in that position "are both financially and personally invested in the security posture they have advocated for," he explains. "The perceived repercussions of admitting the security architectures they have built are no longer effective can create a lot of pressure, and the CISO is therefore less likely to tear it down and adjust when needed. Overall, CISOs don’t feel empowered or encouraged to pivot in ways that benefit the overall business."
Having a direct line to higher ups in the company can help break CSOs out of that trap. "Once the tech side of a company has matured," says Chicago Metrics' Marchewka, "the security organization can transition to more of a risk-based approach and report into higher parts of the business." Indeed, most of the people we spoke to felt that a good sign of a forward-thinking company is a CSO who doesn't answer to a CIO, but who is instead in a position to think like one of the company's leaders.
Several executives we spoke to touted an organization where the CSO has more of a coordinating role across multiple departments. "The 'command and control' CISO who owns everything security related is no longer a valid construct," says BluVectorCEO Kris Lovejoy. "The CISO becomes a committee chairman, responsible for gathering and communicating cross-organizational metrics that will be packaged and presented to leadership." Netskope CISO Lamont Orange adds, "In this model, security architecture resides in each of the functional areas of the organization, with the CISO providing governance and transparency."
In other words, the CSO needs to get out of the IT silo. "The days of the CISO being completely IT-centric and as such being in a role under the CIO is gone," says Brian Contos, CISO for Verodin. "Managing security effectiveness and risk management transcends IT and has to operate at an executive level so that technical and non-technical decision makers can be armed with evidence-based data in order to make business decisions more effectively and efficiently from an informed position."
Powwows with bigwigs
Getting the ear of those decision makers is one of the most important reasons why a CSO might want to get out from under the IT umbrella—and the closer you can get to the top, the better. "In an ideal world, a CSO/CISO would report directly to the board of directors," says Kudelski Security's Hicks. "Given the political realities at most firms, I think a more realistic target is to report to the CEO or equivalent. For a CISO or CSO to be truly effective, they need access to the central decision-making process and the authority to participate in that process as an independent voice. To truly provide guidance to the organization around the security of its information and assets, you need to be in the executive level decision-making conversations. And not simply as an observer: you need a full vote."
Having top leadership's ear has concrete and practical benefits when it comes to getting the resources a CSO needs. "Typically, in successful organizations with a strong culture of security, we see the CSO report to leaders such as the CFO or COO," says Chris Duvall, Senior Director at The Chertoff Group. "These leadership roles are often heavily involved in the day-to-day decision making and have the ability to understand and incorporate long-term security needs into capital expenditure planning, as well as to resource and extract 'emergency' requirements and funds when necessary," he says.