InfoSec-Specific Executive Development for CISOs and Aspiring Security Leaders.
Live Faculty-led instruction and interactive labs to build you and your team's InfoSec skills
A wide variety of reporting structures can work if the CISO is understood to be semi-independent and governed by a group of trusted business, regional and functional leaders. This piece outlines the pros and cons of typical CISO reporting structures and
offers tips for pursuing the right balance for the organization.
As a relatively new discipline, information security does not have a strong established reporting structure. Because infosec generally emerged from IT, the majority of CISOs today report into the CIO. However, the CISO organization has many different
possible anchor points and thus many paths to the successful protection of information and information assets. CISO reporting structures depend on many factors, including organizational history, circumstance, personalities, and risk maturity. There
is no single “right” reporting relation.
The most productive way to think about this is to frame the discussions in terms of where the CISO can most effectively lead the organization to avoid circumstances that might lead to harm. When considering security frameworks like the NIST Cyber Security
Framework, we can further detail effectiveness in terms of identify, protect, detect, respond and recover.
Over the past decade, information security has kept its roots in technology, but expanded to include semi-independent and trusted oversight of people, processes and technology to assure protection of confidentiality, integrity and availability (CIA) of
information and information assets, whether digital or otherwise. This came about as organizations realized security is not just a technical problem. As threats emerge, information security must often take ownership of major behavioral change initiatives,
such as anti-phishing campaigns, social engineering avoidance, managing executive social media exposure, etc. Sometimes, being perceived as part of IT detracts from the CISO’s effectiveness in governing non-IT aspects of security.
While the IANS 2020 CISO Compensation and Benchmark Survey finds two-thirds of CISOs (66 percent) still report into the technical organization (see Figure 1), we expect this year’s survey to see that figure reduce somewhat.
The typical stages in the evolution of the position are:
There is no standard reporting hierarchy. The actual path taken differs by industry and company circumstance. The degree of government regulation and public scrutiny also shapes the reporting structure.
The following are key attributes organizations should consider using to determine who the CISO should report to and overall structure of the information security function:
The advantage of reporting into IT is that everyone is accustomed to IT’s large budgets and programs. IT also generally has the resources to manage the budget process and do project management. Those roles may be hard to find in other areas of the
organization. For example, they will require significant time and resources if the CISO reports directly to the CEO or to a functional organization that is not used to this scale (e.g., the chief legal officer). The budget/program advantage must be
balanced against the IT-only perception disadvantage.
Use the CISO success factors to understand the specific drivers for CISO reporting in your organization. A wide variety of reporting structures can work if the CISO is understood to be semi-independent and governed by a group of trusted business, regional
and functional leaders.
Finally, CISOs must do an honest appraisal of the risk maturity of the organization and of their own ability to interact at the highest levels of leadership in the organization. Seek mentor input on your conclusions. Plan your growth and negotiate for
a reporting relationship that leads you to the next level of maturity and, possibly, a later revision of your reporting structure. Be humble and focus on your core mission and principles.
Although reasonable efforts will be made to ensure the completeness and accuracy of the information contained in our blog posts, no liability can be accepted by IANS or our Faculty members for the results of any actions taken by individuals or firms in
connection with such information, opinions, or advice.
October 19, 2021
By IANS Faculty
Continuous compliance requires continuous monitoring and validation of controls in the environment, as well as integration with governance, risk management and compliance tools and platforms. Understand the processes, tools, stakeholders and focus required for a best practice continuous compliance program.
October 14, 2021
Learn how the DDoS threat is evolving and get a step-by-step playbook to ensure your organization is protected against DDoS attacks and has a response plan in place.
October 12, 2021
Uncertain how to secure your M365 environment? Our Faculty identify and explain the five primary areas of M365 that will provide the best security return-on-investment with the least user experience impacts.