InfoSec-Specific Executive Development for CISOs and Aspiring Security Leaders.
Live Faculty-led instruction and interactive labs to build you and your team's InfoSec skills
A wide variety of reporting structures can work if the CISO is understood to be semi-independent and governed by a group of trusted business, regional and functional leaders. There are different impacts of having the CISO report to a technical director
instead of the chief information officer (CIO) or other C-level executives. This piece outlines the pros and cons of typical CISO reporting structures and offers tips for pursuing the right balance for the organization.
As a relatively new discipline, information security does not necessarily have an established reporting structure. Because InfoSec generally emerged from IT, the majority of CISOs today report into the CIO.
However, the CISO organization has many different possible anchor points and thus many paths to the successful protection of information and information assets. CISO reporting structures depend on many factors, including organizational history, circumstance,
personalities and risk maturity. There is no single “right” reporting relation.
Let us begin by framing the discussions in terms of where the CISO can most effectively lead the organization to avoid circumstances that might lead to harm. When considering security frameworks like the NIST Cyber Security Framework, we can further detail
effectiveness in terms of identify, protect, detect, respond and recover.
Over the past decade, information security has kept its roots in technology, but expanded to include semi-independent and trusted oversight of people, processes and technology to assure protection of confidentiality, integrity and availability (CIA) of
information and information assets, whether digital or otherwise.
This came about as organizations realized security is not just a technical problem. As threats emerge, information security must often take ownership of major behavioral change initiatives, such as anti-phishing campaigns, social engineering avoidance,
managing executive social media exposure, etc. Sometimes, being perceived as part of IT detracts from the CISO’s effectiveness in governing non-IT aspects of security.
As companies mature in risk and increase in size, the trend is for information security leaders to broaden into corporate security leaders, often adding physical/site security and business continuity to their portfolio and becoming chief security officers
Depending on how stakeholders view the business criticality of information security, the CISO might report directly to the CEO or be aggregated with other risk executives under a chief risk officer (CRO)
The typical stages in the evolution of the CISO position are:
There is no standard reporting hierarchy. The actual path taken differs by industry and company circumstance. The degree of government regulation and public scrutiny also shapes the reporting structure.
Nonetheless, key attributes to successful CISO organizations should influence the discussion of reporting structure:
The advantage of reporting into IT is that everyone is accustomed to IT’s large budgets and programs. IT also generally has the resources to manage the budget process and do project management. Those roles may be hard to find in other areas of the
For example, they will require significant time and resources if the CISO reports directly to the CEO or to a functional organization that is not used to this scale (e.g., the chief legal officer). The budget/program advantage must be balanced against
the IT-only perception disadvantage.
Use the CISO success factors to understand the specific drivers for CISO reporting in your organization. A wide variety of reporting structures can work if the CISO is understood to be semi-independent and governed by a group of trusted business, regional
and functional leaders.
Being perceived as an IT problem. Reporting into IT with limited ability to influence the behavior of employees, partners and suppliers will not lead to success. Also, this positioning can be used to exclude the CISO from the protection of non-IT technology
(e.g., shadow IT) and non-digital assets (e.g., paper records, staff disclosure of secrets, etc.).
Being perceived as the policer of the organization. Act as the mirror and window, not just the locked door. In other words, strive to clearly present risks and instead of simply banning new initiatives, offer innovative solutions that mitigate risk while
enabling the business.
Reducing your role to a checklist of compliance points that are static and often can never be satisfied. Focus on risk management and business decision-making.
Having your hands tied. Avoid a reporting relationship that does not provide you, as CISO, with the ability to raise awareness of risks to whatever level of leadership is appropriate to stimulate action to address those risks. In a boss, seek mentorship,
not “must be approved by me” filtering.
A good network of leadership mentors to help you understand how to bring about change. Establish trust with your boss as a key member of your mentor group.
Understanding of your own leadership maturity with an eye toward growing your skills. Sometimes, this means reporting further down in the organization with an understanding that as you develop, your reporting will move upward.
The freedom to engage in difficult conversations where you can elaborate the risk clearly and take a personal position, but understand the decision to accept, mitigate or transfer that risk is up to business leadership, not IT or information security.
A strong trust relationship with the CIO and IT leadership, so you can develop your programs and budgets in collaboration. The rest of the organization will perceive IT plus information security as a combined cost of doing business, so it is best to resolve
tradeoffs directly between the CIO and CISO. Pay attention to and benchmark the budget ratios, such as:
Finally, CISOs must do an honest appraisal of the risk maturity of the organization and of their own ability to interact at the highest levels of leadership in the organization. Seek mentor input on your conclusions. Plan your growth and negotiate for
a reporting relationship that leads you to the next level of maturity and, possibly, a later revision of your reporting structure. Be humble and focus on your core mission and principles.
Although reasonable efforts will be made to ensure the completeness and accuracy of the information contained in our blog posts, no liability can be accepted by IANS or our Faculty members for the results of any actions taken by individuals or firms in connection with such information, opinions, or advice.
October 19, 2021
By IANS Faculty
Continuous compliance requires continuous monitoring and validation of controls in the environment, as well as integration with governance, risk management and compliance tools and platforms. Understand the processes, tools, stakeholders and focus required for a best practice continuous compliance program.
October 14, 2021
Learn how the DDoS threat is evolving and get a step-by-step playbook to ensure your organization is protected against DDoS attacks and has a response plan in place.
October 12, 2021
Uncertain how to secure your M365 environment? Our Faculty identify and explain the five primary areas of M365 that will provide the best security return-on-investment with the least user experience impacts.