[BreachExchange] Reporting relationships: Who should the CISO report to?

Wed May 29 10:27:08 EDT 2019

https://cio.economictimes.indiatimes.com/news/strategy-and-management/reporting-relationships-who-should-the-ciso-report-to/69462022

Reporting relationships in organizational structures are of prime
importance, because without them companies may not run efficiently or
cost-effectively. These reporting relationships are responsible for
depicting who each employee reports to, what he/she is responsible for
and who reports to them.

Without these lines of authority, it becomes very easy for conflicting
directions to be given, or even no directions to be given at all,
which is detrimental to business. Today one will consider this with
respect to the CISO, and whether it matters who the CISO reports to or
not.

A survey conducted by CIO.com found that nearly one-fourth of CISOs
reported directly to the CEO, while almost half reported to the CIO.
However, despite this disparity, 65 percent of respondents were
confident that IT strategy was a top priority in their company’s
roadmaps.

There are a number of nuances that may be developed in light of this
information. For one, almost half of the responses claim that their
companies do not possess top security experts or CISOs. This leads one
to believe that the nature of the CISO as a role is already dependent
on the maturity of a company, i.e. how developed and complex its
organizational structure is. In companies that do have a CISO, it
turns out that depending on how much the company spends on IT security
may play a large role on who the CISO reports to.

There also seems to be a distinction formed on the role played by
CISOs in different companies. In companies where the top security
executive is a CSO, it is often the CSO that reports to the CEO,
whereas the CISO will report to the CSO more often. However, in
general consensus, the terms CISO and CSO are often used
interchangeably to refer to the same position.

It is counter-intuitive to assume that companies have a well-defined
reporting structure from the onset, reporting structures are often a
consequence of growth and hence are organic in nature. However, if you
run a business that might have burgeoned in size significantly in a
short time-span, it can merit your company to revaluate the reporting
structure and to draw up clear lines of authority. One common example
of conflict is that of a CISO’s role in contrast with that of a CIO.

Alexander Yampolskiy, CEO of Security ScoreCard says, "a CIO is
usually rewarded for delivering business projects, which affect
revenue. The CISO's job is to fix vulnerabilities — and those security
projects will always create tension for resources with revenue-driving
projects".

Furthermore, if CISO reports to a CIO, research shows that this
detriment a CISO’s ability to make strategic interventions; they feel
less empowered as a consequence of being constrained by two tiers of
authority, rather than just one. In order to counter this, CISO’s must
have a direct line up to a higher authority. By transitioning to a
risk-based approach, this allows companies to be forward thinking in
their strategic endeavours.

In the neo-organizational model, the CISO is less of the owner of
every security construct. Rather, in the words of Kris Lovejoy, “The
CISO becomes a committee chairman, responsible for gathering and
communicating cross-organizational metrics that will be packaged and
presented to leadership.” What this means is that in the current
umbrella of organizational decision making, the CSO needs to get out
from under the IT umbrella and be given the ability to report directly
to the top, the CEO or equivalent. In order to be able to provide
guidance in terms of internet security, the CISO must be able to make
decisions at an executive level.

All in all, it seems that a CISO who reports to the top is taken more
seriously, has more autonomy and is also better at doing his/her job.
All of this combatively adds up to more job satisfaction as well. If
the company does not take security seriously, the CISO will lack
satisfaction. While it is true that this sort of change will only be
enacted when an organization is mature, the fact remains regardless
that any company operating at a significant level must evaluate its
reporting relationships in order to effectively combat unclear lines
of authority and to better organizational structure before any risks
to security arise.