Does it matter who the CISO reports to?

Reporting relationships are more than lines on an org chart, they're lines of authority. Ultimately, who the CISO reports to may say more about an organization's maturity than it does about an individual's effectiveness.

1 2 Page 2
Page 2 of 2

The respect you deserve

A CSO who reports to the top is taken more seriously, which can only add to their job satisfaction. An organizational distance from decision makers "is one of the most common reasons the average tenure of a CISO is around 18 months," says Hicks. "It’s not an easy job to begin with, and if it’s not set up for success, it's untenable over the long term." If a company is looking to hire a new top security exec, according LaSalle Network's Wallenberg, it "will have more success in attracting top-tier talent if the CSO reports to the CEO."

But it's not just the CSO's personal happiness that's on the line: it's the company's security. A CSO will be most satisfied at a company that takes security seriously, and giving the CSO a direct connection to top leadership is a part of that. "If a breach can paralyze a business, then the CISO should report into the CEO," says Karin Klein, a founding partner of Bloomberg Beta. "It's as simple as that. It's about shifting the mindset of CEOs to make sure their security plans are buttoned up. When a CISO reports directly to the CEO, the information flow is direct and immediate. It also signals to the whole company and its stakeholders (employees, customers, the board, investors, etc.) that security is a top priority."

Increasing regulatory security requirements also make the case for a CSO who reports to leadership independent of IT's oversight. "In the regulatory climate affecting businesses today, it behooves an organization to place the CISO/CSO in an organizational position where they have independence and oversight abilities, and can act as a business adviser for security functions and features," says John Kronick, Director of Cybersecurity Solutions at PCM, Inc. If the CISO is under the CIO, he says, "there is no independence or objectivity by the CISO, and any CISO assessment work would potentially be tightly controlled or restricted as to render it worthless."

In the end, the changing legal and threat landscape will align to make the CSO a co-equal partner of CIOs and other execs for a simple reason: the bottom line. "Recently, there have been security breaches that have affected company stock prices," says SecurityScorecard's Yampolskiy. "For example, the Equifax stock price has not yet recovered after the company's big breach, just as Sony's stock price hasn't after the PlayStation breach and theft of internal documents.  As more high-profile events like those happen, we expect the CISO in the next few years to start entering the senior leadership teams of companies."

Copyright © 2021 IDG Communications, Inc.

1 2 Page 2
Page 2 of 2
Microsoft's very bad year for security: A timeline