Author’s note: This post was inspired by the discussions among CISOs attending ISACA’s 2016 CISO Forums, plus additional readings and personal experience. The opinions are my own. For more insights from the CISO Forums, read ISACA’s CISO Board Briefing 2017.
A study by K logix Research titled "CISO Trends" found that "53% of CISOs state that one of their main objectives is to align security with business goals while 46% want to partner with business leaders to help them solve problems.”
This will have implications that go far beyond resource allocation. The CISO’s contribution to the organization is fundamentally to enable growth and support the attainment of the strategic objectives. The CISO will achieve this by ensuring that the information security posture is commensurate with the risk appetite and compliant with industry requirements.
When a group of CISOs discuss reporting, you rapidly come to realize that there is not a unique global best practice. In fact, as indicated in ISACA’s CISO board briefing, "there is not one correct organizational map, not one universal title and not even one universally applicable job description for the information security executive.”
To best fulfill this role, a key success factor is having the CISO as close as possible to those who set the tone at the top. Direct reporting to the CEO is what first comes to mind. Working closely with the CEO helps ensure best alignment of security with business imperatives. This requires an excellent working relationship between the CISO and the CEO.
Being perceived as part of the inner circle has its ups and downs. Other executives and directors will want to display a collaborative attitude and deal with the CISO as a key player but might also see the CISO as a threat to their own agenda.
The same study by K logix points out that "more than half of CISOs report to the CIO, and just 15% report to the CEO, with the rest reporting to the COO, or Risk-related organizations. But when asked about the future of the security organization, 50% of CISOs responded that the role will report into the CEO."
There are some public examples in which even the CEO had an agenda that made her avoid her CISO. Googling Yahoo’s Marissa Mayer will provide an example of a situation in which no CISO wants to be part.
A very prevalent option is reporting to the CIO. As information security gained recognition and started to be recognized as no longer a technical issue, the person in charge was promoted and reported directly to the CIO. At the time, this was a very positive enhancement of the role. But while may work well for some, it comes with some risk. The CIO is under heavy pressure to deliver the required projects on time and within budget. In this model, the CIO, who has a supervisory function for security and other matters, may also be influenced by personal financial considerations, such as a bonus – particularly in the private sector.
The CIO will eventually be confronted with conflicting objectives when the project does not meet the security requirements and is running out of time or budget. Security is at risk of being sidetracked. There is a clear rationale for having the CISO function independent of IT.
Other reporting lines may be to the chief risk officer, chief financial officer, chief operations officer and even the chief audit executive.
In “Determining Whether the CISO Should Report Outside of IT, Refreshed” from research firm Gartner, it is noted that:
- “Information security organization design is influenced by a host of factors specific to each enterprise that must be well understood before the adopted structure can work optimally.”
- “The main trend has been a tendency to establish a corporate information security function outside of the IT organization.”
When the opportunity comes to revisit the reporting lines for the CISO, it’s no time to try to be idealistic. One must determine which is the best option within the context/culture/environment of his or her organization.
Among other considerations, one must assess the organization’s vision and strategic goals, culture, management style, security maturity, IT maturity, risk appetite and all relevant dynamics involving the current security posture and reporting lines.