When discussing CISO roles, there’s always one massive variable at play. One huge elephant in the room that gets infosec and C-Suite leaders engaged in, sometimes heated, debate: just who should CISOs report to?
Where does a CISO fit within the huge, jumbled jigsaw puzzle that is an organisation? Is there a single set role to whom they should report? Or is it more nuanced than that? Let’s investigate.
Before we get into the debate, we need to recognise that not all CISO roles are created alike. As a role, it can vary wildly depending on the organisation’s strategic and technical focus.
For example, if the company has a strong need for regulatory compliance, then the CISO role may be more aligned with risk management. If the company has a strong need for embedding security into tech products that they create and sell, then a CISO there may need to be more aligned with technical teams. If the company isn’t in an overly techie space, then the role of the CISO (if they have one at all) will likely be more about securing the day-to-day tech they do use – which may even tie them in some way to the COO.
There is no single, empirical way of placing a CISO within the org chart because there is no single empirical way of being a CISO.
So with that bombshell out of the way, let’s explore some of the different ways that the CISO puzzle piece can fit near – or even within – the board.
A considerable number of CISOs report to a technical C-Suite role. Data tells us that around 65% of CISOs in the UK and 45% of CISOs in the US report to the CIO. And anecdotally, we’ve observed this in action: on the whole, CISOs in the US are considerably less likely to report to a CIO or CTO than CISOs in the UK.
On the face of it, it might seem like pairing established techie leadership roles with the often-but-not-always techy CISO is a match made in heaven . However, when you consider the fundamental differences between the CIO/CTO and the CISO, it’s not long before cracks start to show.
CIOs and CTOs are there to propel a business forward through technology – grabbing the latest tech by the horns and using it to help improve the company in myriad different ways. The CISO’s job is to err on the side of caution, investigating all of the potential risks before signing off on significant tech changes. Yet that’s not to say modern CISOs aren’t business enablers – they’re there to help technology functions meet the business’s high-level goals… safely.
On the flipside though, it’s still in the CIO’s best interests to embed security, regardless of their relationship to the CISO. And besides, a CIO with a CISO below them is not immune from blame in the event of a cyber incident.
We do see a number of CISO roles report to the CIO or CTO out in the wild, especially in the UK, but we would argue that the above conflict of interest makes this pairing far from ideal. In my opinion, putting the CIO/CTO and the CISO on level pegging makes a lot more sense.
Though this configuration is less common in the UK than it is in the US, I feel it is a great pairing regardless of geography.
It’s a sure fire sign that the organisation takes cyber risk seriously enough to handle it alongside its other risks and responsibilities. A CISO/CRO pairing is likely to give the organisation a risk management/mitigation programme that seamlessly embeds cyber and technical risk throughout the organisation.
Placing a CISO here also highlights the real risk of cybersecurity: it’s not just IT’s responsibility; it’s everyone’s responsibility. Cyber threats present a litigation risk like any other that you might find on the factory floor, in the office, in the server room, in a slippery hallway, in a customer-facing environment, the list goes on.
However, this pairing hinges on the company’s attitude to risk and regulation being mature and sensible.
This is another gem in terms of CISO pairing. It can be a real sweet spot as the CISO can potentially influence budgeting decisions in favour of information security. The CISO and CFO also have a shared interest: minimise losses as much as possible.
When the CISO and CFO work in lockstep, cybersecurity isn’t just seen as a pesky cost centre – it’s rightly seen as an essential investment in the business’s wellbeing and longevity. Even if the CISO doesn’t directly report to the CFO, we feel that a good relationship between the two is essential – and many experts over at CFO Magazine would agree.
This is our second-favourite reporting line of them all, though sadly only 10% of US and Canadian CISOs have this privilege. Another stat pegs this at only 8%. Yet pairing the CISO with the de-facto head of the business means that the former can wield real, substantial change within an organisation. It shows that the company considers infosec an indivisible part of doing business
In a way, this approach is also reflective of the board-level business expertise that a CISO needs to adequately navigate the whole business through the storms of cyber threats.
CISOs largely report to the board in some capacity, but I think we’re going to see more CISOs on boards in future. In terms of CISO importance and autonomy, it doesn’t get better than this. It firmly shows that the organisation takes security seriously.
Being on the board isn’t for the faint of heart. But in our view, this is the ultimate CISO role; where security is deservedly seen as the independent, business-critical discipline that it rightly is. Alas, only 14% of US CISOs sit on a corporate board, but as infosec becomes more and more of an issue for organisations of all kinds, we feel that this approach is going places.
The CISO’s reporting lines may depend on the company’s industry and maturity. As companies grow, roles slot in as need arises at the time. But as roles (and indeed organisations) mature, a truly sensible company isn’t afraid to review the need and structure of all roles throughout an organisation, especially those at the top.
As hinted at above, the organisation’s sector may also alter the role of the CISO, in turn changing who best to have them report to. Highly regulated sectors may benefit from a CISO working with the CRO; software engineering sectors might benefit from a CISO/CTO team-up; and companies in any sector who recognise the true, woeful ubiquity of cyber insecurity may wish to place their CISO nearer to the COO, CEO, or the board.
As mentioned above, CISO reporting lines tend to differ depending on which side of the Atlantic you are on.
In the UK, CISOs generally report to the CIO or CTO – for better or worse! It is obviously an approach that is working for many businesses, though we think it may become old hat in the coming few years. As security skills are needed more and more at board level, the CISO may end up leapfrogging their fellow techies to sit alongside them in the boardroom.
We’ve observed that in the US, CISOs seem to be more likely to report to the CRO or CLO than in Britain (though they still often do report to the CIO Stateside). In my view, this is a sensible call. Cyber risks get treated with the same importance as any other business risks, and it gives the CISO links to individuals who eat, sleep, and breathe risk management. It may also be a reflection of the more litigious culture in the US, a particular stressor which further heightens the importance of a risk-avoidant focus.
It’s sad but it’s true: some organisations just see cybersecurity as a tick box exercise to please stakeholders and regulators. But many organisations recognise the importance of security skills and are pretty switched on to the kinds of losses at stake if a breach were to happen.
The organisations who don’t take security too seriously may position a CISO without much forethought – possibly some way away from the board. However, organisations who are more cyber-risk aware may be more inclined to place the CISO closer to the board – or even on it.
How rigid are the reporting lines and etiquette within the organisation? If your solid line report is your only reporting line with no ifs, buts, or maybes, then the need to correctly place the CISO within your org chart is essential.
However, precise placement becomes less of a debate if the culture within the organisation is quite easy going and approachable. If the culture allows the CISO to approach any member of the board (or even gives them dotted line reporting to other line heads) then the argument of where they sit in the org chart becomes less of a big deal.
On the subject of culture, we feel the need to mention that decisions around roles and placement should never hinge on interpersonal dynamics – especially when those roles are near or on the board of directors. This can be a dangerous game to play. One of them will inevitably leave at some point, even if it’s just temporarily, leaving some rather personal shoes to fill for the next candidate.
This is the million dollar question, but let’s reframe it slightly. Will there ever be one reporting structure that all CISOs fit into nicely and neatly? The answer is no. So therefore, there is no empirical right or wrong answer – only what is right or wrong for each organisation.
All in all, it depends on the type of CISO role in question and what they’ve been hired to focus on. Any reporting line configuration can work – as long as the organisation’s attitude to risk is on point, the CISO is able to work with authority and autonomy, and the individual has a fundamental understanding of the business from a board perspective.
When you find a truly skilled, responsible CISO, keep them as close to the board as you can. The closer to the board, the better. You could also leverage dotted-line reporting to help make this a reality. In my experience, the CISO roles that applicants find most valuable and rewarding are those that come with the authority and autonomy of being near or on the board. So do with that what you will.
Though to conclude, I’d like to share a quote from cybersecurity expert Phil Venables:
If people think the answer to an organisation’s security issues are mostly determined by the reporting line of the CISO, then frankly there are bigger issues at play […] The reality is, like every important concern, security has to be a shared goal – one role can’t carry this alone no matter where it reports.
The writing is well and truly on the wall: organisations need to start taking security seriously or risk serious losses from cybercrime. As companies start to embed security more and more, the relationship between the CISO and the board will naturally become more tight-knit.
I’m of the opinion that CISO roles of all stripes – all across the world – will start getting closer and closer to the board. This may mean reporting to the CEO, which is great! But it would be even better to see CISOs as a present and equal part of the board, possibly alongside cyber-savvy NEDs too!
Whether you are a CISO, you want to be a CISO, or you need a CISO, drop us a line! We’re always on the lookout for keen employers and speculative opportunities in the infosec sphere. Get in touch today!