What Is the Ideal CISO Reporting Structure?

A wide variety of reporting structures can work if the CISO is understood to be semi-independent and governed by a group of trusted business, regional and functional leaders. There are different impacts of having the CISO report to a technical director instead of the chief information officer (CIO) or other C-level executives. This piece outlines the pros and cons of typical CISO reporting structures and offers tips for pursuing the right balance for the organization.

CISO Reporting Structures

Because InfoSec generally emerged from IT,  the majority of CISOs today report into a technical function. See the chart below which features first party data from our annual CISO Compensation and Budget Survey. Of the over 500 respondents, 46% of CISOS report to a CIO, with 15% reporting directly to a CTO. With 65% reporting into a technical function, rather than a business function.

Source: IANS + Artico Search 2022 CISO Compensation and Budget Survey

However, the CISO organization has many different possible anchor points and thus many paths to the successful protection of information and information assets. CISO reporting structures depend on many factors, including organizational history, circumstance, personalities and risk maturity. There is no single “right” reporting relation.

Let us begin by framing the discussions in terms of where the CISO can most effectively lead the organization to avoid circumstances that might lead to harm. When considering security frameworks like the NIST Cyber Security Framework, we can further detail effectiveness in terms of identify, protect, detect, respond and recover.

GET STARTED: CISO Compensation & Budget Benchmark Survey

CISO Role Origins

Over the past decade, information security has kept its roots in technology, but expanded to include semi-independent and trusted oversight of people, processes and technology to assure protection of confidentiality, integrity and availability (CIA) of information and information assets, whether digital or otherwise.

This came about as organizations realized security is not just a technical problem. As threats emerge, information security must often take ownership of major behavioral change initiatives, such as anti-phishing campaigns, social engineering avoidance, managing executive social media exposure, etc. Sometimes, being perceived as part of IT detracts from the CISO’s effectiveness in governing non-IT aspects of security.

As companies mature in risk and increase in size, the trend is for information security leaders to broaden into corporate security leaders, often adding physical/site security and business continuity to their portfolio and becoming chief security officers (CSOs).

In fact, our first-party data supports this, showing CISOs oversee more than just information security. As part of the aforementioned CISO Compensation and Budget Survey where we collected first-party data on over 500 CISOS, most respondents indicate their security ownership currently includes multiple functions. A waterfall chart shows the most common combinations (see figure below). Besides information security, 79% of CISOs are also responsible for technical risk and compliance. In addition to infosec and tech risk and compliance, 59% also oversees product security and 33% has privacy as an added responsibility.

Source: IANS + Artico Search 2022 CISO Compensation and Budget Survey

Depending on how stakeholders view the business criticality of information security, the CISO might report directly to the CEO or be aggregated with other risk executives under a chief risk officer (CRO).

Evolution of the CISO Role

The typical stages in the evolution of the CISO role are:

1. Individuals specializing in security within IT operations.
2. A recognized IT security sub-group that spans operations, applications, policy, compliance, governance etc., and reports to a security IT manager/director.
3. An IT executive elevated to CISO under the CIO. With this elevation and additional data strategy role, the CISO sometimes transforms into the chief data officer (CDO).
4. A company executive or senior executive reporting in parallel to the CIO – often both to the chief financial officer (CFO) or chief operating officer (COO), but sometimes under a new empowered CRO.
5. A senior executive CISO reporting to the CEO on the executive leadership team. This happens primarily when information security is viewed as critical to company success.

There is no standard reporting hierarchy. The actual path taken differs by industry and company circumstance. The degree of government regulation and public scrutiny also shapes the reporting structure.

Key Determinants of CISO Reporting Structure

Nonetheless, key attributes to successful CISO organizations should influence the discussion of reporting structure:

• Independence: Is the CISO free to give honest, unbiased, clear evaluation and guidance? Is the CISO positioned to be able to report and influence all levels of leaders without undue conflict-of-interest pressure?
• Governance: Is the CISO guided by a trusted core of key business, region and functional leaders? Is the security program owned by them and not just the CISO?
• Impact: Is information security positioned to be successful in its operational components (e.g., identity and access management, firewall management)?
• Influence: Is the CISO positioned to be a strong partner with all business, regional and functional leaders as well as outside entities (e.g., customers, the board, regulators, etc.)?
• Resolve: Can the CISO engage and lead the necessary difficult conversations to find a way forward by balancing the tensions among business, security, regulation and stakeholder expectation with regard to mitigating circumstances and minimizing harm?

CISO Success Factors

The advantage of reporting into IT is that everyone is accustomed to IT’s large budgets and programs. IT also generally has the resources to manage the budget process and do project management. Those roles may be hard to find in other areas of the organization.

For example, they will require significant time and resources if the CISO reports directly to the CEO or to a functional organization that is not used to this scale (e.g., the chief legal officer). The budget/program advantage must be balanced against the IT-only perception disadvantage.

Use the CISO success factors to understand the specific drivers for CISO reporting in your organization. A wide variety of reporting structures can work if the CISO is understood to be semi-independent and governed by a group of trusted business, regional and functional leaders.

Role of the CISO

Obstacles Faced by CISOs

Being perceived as an IT problem. Reporting into IT with limited ability to influence the behavior of employees, partners and suppliers will not lead to success. Also, this positioning can be used to exclude the CISO from the protection of non-IT technology (e.g., shadow IT) and non-digital assets (e.g., paper records, staff disclosure of secrets, etc.).

Being perceived as the policer of the organization. Act as the mirror and window, not just the locked door. In other words, strive to clearly present risks and instead of simply banning new initiatives, offer innovative solutions that mitigate risk while enabling the business.

Reducing your role to a checklist of compliance points that are static and often can never be satisfied. Focus on risk management and business decision-making.

Having your hands tied. Avoid a reporting relationship that does not provide you, as CISO, with the ability to raise awareness of risks to whatever level of leadership is appropriate to stimulate action to address those risks. In a boss, seek mentorship, not “must be approved by me” filtering.

Opportunities for CISOs

A good network of leadership mentors to help you understand how to bring about change. Establish trust with your boss as a key member of your mentor group.

Understanding of your own leadership maturity with an eye toward growing your skills. Sometimes, this means reporting further down in the organization with an understanding that as you develop, your reporting will move upward.

READ:  Reporting on Information Security Metrics That Matter to Executive Leadership

The freedom to engage in difficult conversations where you can elaborate the risk clearly and take a personal position, but understand the decision to accept, mitigate or transfer that risk is up to business leadership, not IT or information security.

A strong trust relationship with the CIO and IT leadership, so you can develop your programs and budgets in collaboration. The rest of the organization will perceive IT plus information security as a combined cost of doing business, so it is best to resolve tradeoffs directly between the CIO and CISO. Pay attention to and benchmark the budget ratios, such as:

• IT to revenue
• InfoSec to revenue
• InfoSec to IT
• InfoSec to research and development (R&D), etc.
• A healthy challenge-collaborate environment, not a conflict-adversary environment

Advice for CISOs

Finally, CISOs must do an honest appraisal of the risk maturity of the organization and of their own ability to interact at the highest levels of leadership in the organization.

1. Seek mentor input on your conclusions.
2. Plan your growth and negotiate for a reporting relationship that leads you to the next level of maturity and, possibly, a later revision of your reporting structure.
3. Be humble and focus on your core mission and principles.

Although reasonable efforts will be made to ensure the completeness and accuracy of the information contained in our blog posts, no liability can be accepted by IANS or our Faculty members for the results of any actions taken by individuals or firms in connection with such information, opinions, or advice.