Managing the CISO: where should the role report into?
08:03 Monday, 21 September 2020
UK Cyber SecurityCouncil
The role of the Chief Information Security Officer, or CISO, can be an unusual role. Although apparently a “C-level” position it is often not placed as such in the company hierarchy – that is, unlike most C-level positions it may well not report directly into the CEO.
So if the CISO isn’t alongside the other C-levels, where in the hierarchy does it sit?
I spent some time searching for CISO roles (I was expecting to find dozens, and I was surprised not to) and of the first ten whose ads stated the reporting line:
- one reported to the CEO
- three reported to the CIO
- three others were listed as members of the IT/technology team, which I took to mean they came under the CIO or CTO
- one reported to the CTO
- one reported to the COO
- one reported to the Chief Risk Officer.
- So, in our rather limited sample, seven of the ten CISOs were in a reporting line under the exec whose homework they would be marking. Is this a good thing? Well, it depends.
I’ve seen many examples of CISOs reporting into the IT director (the CIO or COO) where it’s worked well; all these cases had something in common, though: the reports produced by the CISO went directly, and unadulterated, to the executive and the board. I’ve also seen the opposite, though, where CISO reports that were waving a big, red flag had taken on a rather greener tinge once they had been sanitised before being passed on.
In my experience, unless you have a very strong-willed and confident CISO, it makes things easier for him or her if the reporting line is outside the IT department. Even the best run IT regime will be less than 100% perfect when it comes to security, and it’s understandable if a CISO based in the IT team is fearful of being seen to throw the boss under the bus – even if this isn’t really what’s happening because the reports are simply providing facts and not the CISO’s opinion.
I’ve held security roles both inside and outside the IT world. In one role, the head of risk and I were peers and were based in the CFO’s reporting line, which worked extremely well because it meant we were marking others’ homework, not our boss’s. When I have worked in security within the IT team it has worked OK, but it was always harder – and one can feel uneasy when the exec team are reading your report and asking your boss, who’s sitting next to you, pointed questions about why he’s not fixed the issues you’ve just told them about.
In reality, though, the question shouldn’t be whether the CISO should or shouldn’t be part of the technology team. Let’s go back to the first bullet point, which noted that only one of the ten CISO job ads we found reported directly to the big boss. The title “CISO” starts with a C for a reason – and my default position to anyone who asks where I think the CISO should report is simple: it’s one of the most important roles in the organisation and it should report to the CEO.