I read that experts believe CISOs should stop reporting to CIOs because there is a conflict of interest. What should...
a CISO reporting structure in a typical enterprise be like? Does it make more sense for CISOs to report to CEOs?
The CISO reporting structure is a long standing discussion resulting from years of locking horns with the CIO and technology groups. Executive management historically has left information security to the CIO primarily because it has been considered technology based. The role of the CISO has also evolved from a security engineer, manager of information security, director of information security to the CISO, a c-level executive. The Georgia Tech Governance of Cybersecurity: 2015 Report stated that 40% of 121 companies surveyed indicated the CISO reports to the CIO. The same surveys from 2010, 2012 and 2015 show little change in the CISO reporting structure. In North America, the figure was 51%, whereas in Europe and Asia, it was 33% and 26%, respectively.
The primary goal of the CISO is not to protect technology; it is to protect the business. If reporting to the CIO inhibits the CISO's ability to achieve that end, this marginalizes the CISO's effectiveness and creates a great disservice to the enterprise. The keys to making the CISO role successful are independence, empowerment and position. The CISO needs to be independent of influence or pressure from those involved in the protection of corporate assets, empowered to deploy all proper levels of protection, and positioned within the organization to embed information security into the business culture.
Whether or not there's a conflict of interest when the CISO reports to the CIO all depends on the CIO. If the CIO allows the CISO to maintain independence and empowerment for deploying the information security program, then position is not an issue. Conversely, if the CISO reports to a c-level executive other than the CIO, unless that executive has an appreciation, budget and support for the information security program, the reporting structure would be worse than the latter.
Ideally, the CISO should report to an executive -- other than the CIO -- who has an appreciation for information security and can champion the CISO's efforts and goals with executive management. That executive can be the CEO, an executive board member or chief risk officer. (In some cases, a CISO can be a c-level executive board member.)
However, for years the CISO and security team have reported to the CIO and although there may have been situations that created tension and possible conflicts of interest, technology and processing was maintained. Information security was still accomplished, albeit not optimally, but sufficient to accomplish adequate protection.
Another consideration in the CISO reporting structure is that when the CISO reports to the CIO and is empowered to deploy the right level of security, the CISO's level of success can quickly change if the CIO is replaced with another person who disrupts the CISO's role and functions. The same could happen if the executive -- including the CEO -- the CISO reports to moves on or retires. The key is to be aware of the differences between each executive and be flexible enough to change reporting structures in a way that allows the CISO to independently perform his job.
Ask the Expert:
Have questions about enterprise security? Send them via email today. (All questions are anonymous.)
Find out how the role of the CISO is changing for better and for worse
Learn how chief data officers affect the role of the CISO
Discover why the CISO reporting structure is such an urgent issue