Does it matter who the CISO reports to?

Reporting relationships are more than lines on an org chart, they're lines of authority. Ultimately, who the CISO reports to may say more about an organization's maturity than it does about an individual's effectiveness.

Tech executives have had a place at the top of the org chart since the advent of the CIO title in the 1980s and '90s. And tech security has become a more and more overriding concern for top executives, more recent additions to the C-suite have come in the form of Chief Security Officers (CSOs) and Chief Information Security Officers (CISOs). But not everyone with "C" in their title is created equal, which leads to the question: to whom should these security execs report?  

This is more than just an administrative matter. The org chart defines fiefdoms and lines of authority within an enterprise, and the right reporting structure can mean the difference between success and failure for a company — and for the executives working there. Jason Hicks, managing director of advisory services at Kudelski Security and a former CISO himself, puts it like this: "You need organizational clout to be taken seriously. And unfortunately, this is often determined by reporting relationships, not competency."

The Global State of Information Security Survey 2018 (GSISS), conducted jointly by CIO, CSO and PwC, captures an industry in transition. The survey found that 40 percent of top infosec executives reported to the CEO, and 27 percent directly to the board of directors; only 24 percent reported into a CIO. But top leadership still isn't as involved as it should be; only 44 percent of respondents said their corporate boards actively participate in their companies’ overall security strategy.

The GSISS 2018 survey also revealed that reporting strupture does have some effect on the financial impact of security incidents (see chart below). In organizations where the CSO reports to the CIO, respondents reported average estimated total financial losses of $2,577,513 due to security incidents. Those that report to the CEO had estimated losses of $2,545,742, and those that report to the COO had estimated losses of $3,119,717. The reporting relationship with the greatest estimated losses: CSO to Legal Counsel, with losses of 3,773,931.

cso estimated financial losses from security incidents chart CSO

We spoke to a wide range of folks who've worked these jobs to get behind these numbers, and to hear their take on who they think CSOs should report to, and why.

To continue reading this article register now

Get the best of CSO ... delivered. Sign up for our FREE email newsletters!