Save time with unbiased, independent feedback on vendor solutions.
Watch weekly bite-sized webinars hosted by IANS Faculty.
A wide variety of reporting structures can work if the CISO is understood to be semi-independent and governed by a group of trusted business, regional and functional leaders. This piece outlines the pros and cons of typical CISO reporting structures and
offers tips for pursuing the right balance for the organization.
As a relatively new discipline, information security does not have a strong established reporting structure. Because infosec generally emerged from IT, the majority of CISOs today report into the CIO. However, the CISO organization has many different
possible anchor points and thus many paths to the successful protection of information and information assets. CISO reporting structures depend on many factors, including organizational history, circumstance, personalities, and risk maturity. There
is no single “right” reporting relation.
The most productive way to think about this is to frame the discussions in terms of where the CISO can most effectively lead the organization to avoid circumstances that might lead to harm. When considering security frameworks like the NIST Cyber Security
Framework, we can further detail effectiveness in terms of identify, protect, detect, respond and recover.
GET STARTED: CISO Compensation & Budget Benchmark Survey
Over the past decade, information security has kept its roots in technology, but expanded to include semi-independent and trusted oversight of people, processes and technology to assure protection of confidentiality, integrity and availability (CIA) of
information and information assets, whether digital or otherwise. This came about as organizations realized security is not just a technical problem. As threats emerge, information security must often take ownership of major behavioral change initiatives,
such as anti-phishing campaigns, social engineering avoidance, managing executive social media exposure, etc. Sometimes, being perceived as part of IT detracts from the CISO’s effectiveness in governing non-IT aspects of security.
In our 2020 CISO Compensation and Budget Survey, 66% of CISOs said they report to a technical function—a CIO, CTO.
However, in 2021, this share grew slightly year-over-year to 69%. Eighteen percent of survey respondents reports to the CEO or chief operating officer (COO) and only a small share has a chief risk officer (CRO), chief financial officer (CFO) or general counsel as their solid line manager (see figure below).
Source: IANS + Artico CISO Compensation & Budget Survey
According to Steve Martano, cybersecurity recruiter at Artico Search, this trend is remarkable, "because there can be an inherent conflict of interest between security and IT, for several years we have heard from organizations that security would break out of IT and become a separate function reporting to a business executive, but that has not really come to fruition yet. For now, the CISO predominantly reports into the tech group, but we have seen it work in a variety of ways, depending on the organization and individual leaders in other functions."
The typical stages in the evolution of the CISO position are:
There is no standard reporting hierarchy. The actual path taken differs by industry and company circumstance. The degree of government regulation and public scrutiny also shapes the reporting structure.
The following are key attributes organizations should consider using to determine who the CISO should report to and overall structure of the information security function:
The advantage of reporting into IT is that everyone is accustomed to IT’s large budgets and programs. IT also generally has the resources to manage the budget process and do project management. Those roles may be hard to find in other areas of the
organization. For example, they will require significant time and resources if the CISO reports directly to the CEO or to a functional organization that is not used to this scale (e.g., the chief legal officer). The budget/program advantage must be
balanced against the IT-only perception disadvantage.
Use the CISO success factors to understand the specific drivers for CISO reporting in your organization. A wide variety of reporting structures can work if the CISO is understood to be semi-independent and governed by a group of trusted business, regional
and functional leaders.
Finally, CISOs must do an honest appraisal of the risk maturity of the organization and of their own ability to interact at the highest levels of leadership in the organization. Seek mentor input on your conclusions. Plan your growth and negotiate for
a reporting relationship that leads you to the next level of maturity and, possibly, a later revision of your reporting structure. Be humble and focus on your core mission and principles.
READ: How to Structure the Information Security Function
Although reasonable efforts will be made to ensure the completeness and accuracy of the information contained in our blog posts, no liability can be accepted by IANS or our Faculty members for the results of any actions taken by individuals or firms in
connection with such information, opinions, or advice.
September 21, 2023
By IANS Faculty
Learn why CISOs Need D&O Liability Insurance Coverage now more than ever along with guidance to help minimize potential cyber liability risk.
September 19, 2023
Discover the diversity of IANS Faculty's real-world expertise. Learn how our faculty members can help you solve your most challenging security issues.
September 14, 2023
Learn how to use a three-step approach to defending and managing public and private APIs while avoiding common mistakes.