Does it matter who the CISO reports to?

Reporting relationships are more than lines on an org chart, they're lines of authority. Ultimately, who the CISO reports to may say more about an organization's maturity than it does about an individual's effectiveness.

boardroom job opening executive in silhouette empty chair new job
Getty Images

The 2019 State of the CIO survey, conducted by our sister site, captures an industry in transition. The survey found that 23% of top security executives reported to the CEO, while nearly 45% reported into a CIO. Respondents seemed confident that security was getting the high-level consideration it deserved: 64% said that IT security strategy was a tightly integrated and integral part of the company's overall IT strategy and roadmaps.

Despite this supposed infosec love fest, the survey also revealed that 44% of respondents don't have a top executive of any title focused solely on security. Unsurprisingly, the presence of such an exec correlates to company size — only 40% of companies with less than $100 million in revenue have a top security exec, but that number rises to 74% for those with $5 billion or more in revenues.

Another interesting, if unsurprising, correlation: security execs who have the ear of top management are more likely to win a larger portion of the IT budget for security purposes. Companies that spent less than 5% of their IT budget on security were equally likely to have their CSOs report to CIOs or CEOs; but at companies that spent 10% or more on security, the CSO was almost twice as likely to report to the CEO. The effect was even more pronounced at companies where the top security title holder was CISO: only 3% of CISOs at companies that spent less than 5% of their IT budget reported to the CEO, but 26% of CISOs at companies that spent more than 10% did.

Smaller companies are also more likely to see a direct connection between infosec and top management. For all job titles, infosec execs are much more likely to report to the CEO at companies with revenue less than $100 million a year. For instance, 61% of surveyed companies at this size saw CSOs reporting directly to CEOs; by contrast, at 60% of companies taking in more than $100 million, one or more executives stood between the CSO and CEO in the org chart.

What's in a title?

Since we've been juggling different titles here, let's talk about them for a moment. There are some broad trends in usage that may seem to distinguish CSOs from CISOs. In general, according to IDG's 2019 State of the CIO research, CSOs tend to be higher up the org chart: At respondent companies where the top security exec has a CSO title, 43% report directly to the CEO; but only 18% of CISOs report to the top. And 9% of survey respondents said their chief infosec executive reported in to someone with a CSO title, indicating that job sometimes included duties beyond IT, most notably physical security.

But there are plenty of exceptions, and for many companies the CSO job is purely technical in scope. Rather than try to draw a hard-and-fast distinction, we'll use "CSO" generically to refer to a top-level security exec, with the assumption that most if not all of their job duties focus on information security. Many of the people CSO spoke to used CISO and CSO interchangeably, and that usage is reflected in their quotes.

Safe in the nest of IT?

Companies as a rule don't start off as giant enterprises: they grow into them, and often their reporting structures are formed in the process of that growth. In relatively new companies, a structure where the CSO reports to the CIO or other head of IT is common, says Edward Marchewka, founder of Chicago Metrics. This is especially true if, as he puts it, "there is a good deal of blocking and tackling still left to do — basic processes like ensuring proper firewall rules or timely application of security patches or even basic inventory of company asserts.  It is hard to protect information and devices if you don’t know where it is."  Paul Wallenberg, Unit Manager of Technology Recruiting Services at LaSalle Network, says this arrangement works well to give the CIO the full lay of the land in IT, with "comprehensive visibility across all information technology domains rolling up to one central person."

But as a company grows, security can find itself chafing under the CIO umbrella. In particular, a CSO might find that their job doesn't necessarily have the same goals and incentives as the rest of the IT department. Dave Burg, Principal at EY Advisory Americas says that a structure where a CSO reports to a CIO can result in "over-leveraging towards cost management as opposed to risk management."  Alexander Yampolskiy, a former CSO who's now CEO of SecurityScorecard, puts it more bluntly: a CIO "is usually rewarded for delivering business projects, which affect revenue. The CISO's job is to fix vulnerabilities — and those security projects will always create tension for resources with revenue-driving projects."

There's also the matter of differing priorities: a CIO has a long list of goals, and if the CSO is under their umbrella, they may find themselves shunted to one side in the quest to complete a big project. Brian Brammeier, CEO of HigherGround Managed Services, describes a scenario he encountered within a company where he consulted. "There was a major security issue that was leaking data. The CIO was notified, but it didn’t get the priority that was needed because he didn’t classify it as a drop-everything-and-fix problem — which it was. The director of security approached the board because of the gravity of the issue, and they changed the reporting structure so that the CISO reported directly to the board.

"When a security issue is discovered, people may be defensive," Brammeier explains. "At onset, it doesn’t matter who’s fault it is; the issue just needs to be resolved." But in the real world, not everyone is so broad-minded, and not every conflict between a CSO and their CIO boss is going to end like the episode Brammeier describes. "Yes, you can inform the board of your disagreement with the direction the CIO is taking," says Kudelski Security's Hicks, "but it typically does not help with your longevity as a CISO."

Getting strategic

Reporting into a CIO can constrain a CSO's ability to execute strategically, says Bil Harmer, CISO at Zscaler. CSOs in that position "are both financially and personally invested in the security posture they have advocated for," he explains. "The perceived repercussions of admitting the security architectures they have built are no longer effective can create a lot of pressure, and the CISO is therefore less likely to tear it down and adjust when needed. Overall, CISOs don’t feel empowered or encouraged to pivot in ways that benefit the overall business."

Having a direct line to higher ups in the company can help break CSOs out of that trap. "Once the tech side of a company has matured," says Chicago Metrics' Marchewka, "the security organization can transition to more of a risk-based approach and report into higher parts of the business." Indeed, most of the people we spoke to felt that a good sign of a forward-thinking company is a CSO who doesn't answer to a CIO, but who is instead in a position to think like one of the company's leaders.

Several executives we spoke to touted an organization where the CSO has more of a coordinating role across multiple departments. "The 'command and control' CISO who owns everything security related is no longer a valid construct," says BluVectorCEO Kris Lovejoy. "The CISO becomes a committee chairman, responsible for gathering and communicating cross-organizational metrics that will be packaged and presented to leadership." Netskope CISO Lamont Orange adds, "In this model, security architecture resides in each of the functional areas of the organization, with the CISO providing governance and transparency."

In other words, the CSO needs to get out of the IT silo. "The days of the CISO being completely IT-centric and as such being in a role under the CIO is gone," says Brian Contos, CISO for Verodin.  "Managing security effectiveness and risk management transcends IT and has to operate at an executive level so that technical and non-technical decision makers can be armed with evidence-based data in order to make business decisions more effectively and efficiently from an informed position."

Powwows with bigwigs

Getting the ear of those decision makers is one of the most important reasons why a CSO might want to get out from under the IT umbrella — and the closer you can get to the top, the better. "In an ideal world, a CSO/CISO would report directly to the board of directors," says Kudelski Security's Hicks. "Given the political realities at most firms, I think a more realistic target is to report to the CEO or equivalent. For a CISO or CSO to be truly effective, they need access to the central decision-making process and the authority to participate in that process as an independent voice. To truly provide guidance to the organization around the security of its information and assets, you need to be in the executive level decision-making conversations. And not simply as an observer: you need a full vote."

Having top leadership's ear has concrete and practical benefits when it comes to getting the resources a CSO needs. "Typically, in successful organizations with a strong culture of security, we see the CSO report to leaders such as the CFO or COO," says Chris Duvall, Senior Director at The Chertoff Group. "These leadership roles are often heavily involved in the day-to-day decision making and have the ability to understand and incorporate long-term security needs into capital expenditure planning, as well as to resource and extract 'emergency' requirements and funds when necessary," he says.

The respect you deserve

A CSO who reports to the top is taken more seriously, which can only add to their job satisfaction. An organizational distance from decision makers "is one of the most common reasons the average tenure of a CISO is around 18 months," says Hicks. "It’s not an easy job to begin with, and if it’s not set up for success, it's untenable over the long term." If a company is looking to hire a new top security exec, according LaSalle Network's Wallenberg, it "will have more success in attracting top-tier talent if the CSO reports to the CEO." 

But it's not just the CSO's personal happiness that's on the line: it's the company's security. A CSO will be most satisfied at a company that takes security seriously, and giving the CSO a direct connection to top leadership is a part of that. "If a breach can paralyze a business, then the CISO should report into the CEO," says Karin Klein, a founding partner of Bloomberg Beta. "It's as simple as that. It's about shifting the mindset of CEOs to make sure their security plans are buttoned up. When a CISO reports directly to the CEO, the information flow is direct and immediate. It also signals to the whole company and its stakeholders (employees, customers, the board, investors, etc.) that security is a top priority."

1 2 Page 1
Page 1 of 2
Subscribe today! Get the best in cybersecurity, delivered to your inbox.