Tommi - Fotolia

Evaluate Weigh the pros and cons of technologies, products and projects you are considering.

Breaking down the CISO reporting structure

The CISO reporting structure has come under fire after a long line of high-profile data breaches, so who should CISOs report to?

The CISO reporting structure has been a recurring debate for several years, and has elevated even more so in light...

of recent highly publicized breaches, such as Target, Home Depot and Anthem. There are four basic questions raised in this debate: Should there be a CISO position? If so, who should the CISO report to? What are the pros and cons of a CISO reporting structure? And who decides?

Should there be a CISO position?

The CISO is an executive-level position that exists to provide executive management with expert council and advice on matters of information security and asset protection. Unlike the director of information security or security practitioners -- who may very well be effective in managing the information security group -- the CISO might accomplish the same things, but would have additional direct communication with and visibility to executive management.

The keys to making the CISO role successful are independence, empowerment and position. The CISO needs to be independent of influence or pressure from those involved in the protection of corporate assets, empowered to deploy all proper levels of protection, and positioned within the organization to embed information security into the business culture.

Not all enterprises need a CISO, but they need a person who is dedicated to information security based on these three keys. Finding a qualified CISO is a separate challenge, but the right candidate could be a CISO, director of information security or security practitioner. However, the CISO typically has accessibility that a person would not have without the title.

Who should the CISO report to?

A survey conducted in July 2014 by ThreatTrackSecurity found that 47% of CISOs report to the CEO or president, while 45% report to the CIO, 4% to the chief compliance officer, and less than 2% to the COO or CFO.

Realistically, who the CISO reports to is situational. Moving outside of IT or as a direct report to the CIO might actually be the worst thing that could happen.

The CISO should ideally report directly to the CEO or another C-level executive -- such as the CIO or CTO. Whoever the CISO reports to needs to understand and appreciate the CISO's role in the organization. This will allow the CISO to be empowered to independently deploy information security protection schemes without unnecessary influence from superiors or other executive management. Having a Charter for Information Security approved and authorized by the CEO and executive board can strengthen this.

While the CISO could report to other executives, such as chief auditor, chief legal officer or CFO, this should be discouraged since these executives typically do not have sufficient background or common goals.

The CISO reporting to the CIO or CTO has its challenges. Does the CISO have sufficient clout to deploy proper security, even if the CIO or CTO have instructed the contrary? Does the CISO have recourse in the event that his superior decides not to pursue a vulnerability or design flaw that subjects the company to great harm? While these scenarios do unfortunately happen, thankfully they don’t occur often.

Pros and cons of a CISO reporting structure

Pros: If the CISO reports outside of the IT department, he or she should report to a C-level executive who supports, understands and champions the information security function and CISO with the executive management team. This provides the CISO independence, the ability to disagree, the ability to take a stoic professional balanced view of protection and the empowerment to deploy the information security program regarding more than technology.

Cons: Realistically, who the CISO reports to is situational. Moving outside of IT or reporting to someone other than the CIO might actually be the worst thing that could happen. The CISO might lose contact, credibility, cooperation and empowerment to control the security of corporate assets. This could be because the C-level executive does not have sufficient appreciation or influence to support the CISO. Conversely, reporting to the CIO could be just as repressive if there isn't a shared vision or a good working relationship between the two.

Who decides?

Despite the endless debates and opinions voiced over whether the CISO should report to the CIO or another C-level executive, the ultimate question is, "Who decides?" It clearly will not be the newly hired CISO. It will not be the existing director of information security. The CEO and board members should ultimately decide, but unfortunately the question is not typically a consideration until the company has experienced a breach or a major security incident.

How to decide who the CISO reports to

There are several factors that can be used to determine to whom the CISO should report. These include: Should there even be a CISO? Can the director of information security or security practitioner accomplish the same goals without the CISO title? Does the CEO and executive board deem information security critical to doing business? Does the CISO have sufficient background and education to manage information security from a business perspective? Is the executive to whom the CISO is a direct report knowledgeable about information security? Does this C-level executive have sufficient influence to affect change? Can the CIO provide the CISO with the skills necessary to be successful?

Today there are thousands of companies that have CISOs, many of which report to either the CIO or CEO. The challenge, among many, will be for the CEO and executive board. Providing the question is even raised, they need to consider whether a CISO is necessary and whether the CISO deserves a "seat at the table", the CISO reporting structure, and the pros and cons for the CISO reporting in or outside the IT organization. This discussion is meant to provide a more pragmatic approach while the debate continues.

About the author:
Miguel (Mike) O. Villegas is vice president for K3DES LLC, a payment and technology-consulting firm. Mike has been a CISO for a large online retailer, partner for a "Big Four" consulting firm, VP of IT Risk Management, IT Audit Director for large commercial banks and owner of an information security professionals firm over a span of 30 years.

Next Steps

Do CISOs who directly report to the CEO get paid more? Find out in this article.

Learn how changing up the security hierarchy can prevent data breaches in your enterprise.

This was last published in June 2015

Dig Deeper on Information security program management