Does it matter who the CISO reports to?

Reporting relationships are more than lines on an org chart, they're lines of authority. Ultimately, who the CISO reports to may say more about an organization's maturity than it does about an individual's effectiveness.

1 2 Page 2
Page 2 of 2

Increasing regulatory security requirements also make the case for a CSO who reports to leadership independent of IT's oversight. "In the regulatory climate affecting businesses today, it behooves an organization to place the CISO/CSO in an organizational position where they have independence and oversight abilities, and can act as a business adviser for security functions and features," says John Kronick, Director of Cybersecurity Solutions at PCM, Inc. If the CISO is under the CIO, he says, "there is no independence or objectivity by the CISO, and any CISO assessment work would potentially be tightly controlled or restricted as to render it worthless."

In the end, the changing legal and threat landscape will align to make the CSO a co-equal partner of CIOs and other execs for a simple reason: the bottom line. "Recently, there have been security breaches that have affected company stock prices," says SecurityScorecard's Yampolskiy. "For example, the Equifax stock price has not yet recovered after the company's big breach, just as Sony's stock price hasn't after the PlayStation breach and theft of internal documents.  As more high-profile events like those happen, we expect the CISO in the next few years to start entering the senior leadership teams of companies."

Copyright © 2019 IDG Communications, Inc.

1 2 Page 2
Page 2 of 2
The 10 most powerful cybersecurity companies