The CISO (Chief Information Security Officer) reporting structure is a hotly debated topic and the solution often differs depending on the organization. This question has perplexed many organizations. It’s a topic of growing importance as cyber attacks grow in frequency and breach costs increase.
Many organizations initially place the cybersecurity responsibility within the IT department reporting to the CIO. This may works in a small environment or if leadership prioritizes security. However, many understandably believe the CISO should report outside of IT because of a potential conflict of interest. Security and IT have different priorities. IT focuses on adding new systems and features while having stability. Security, much like Risk and Compliance, focuses on managing risk, adhering to policy, and ensuring proper controls are in place.
For example, let’s say IT wants to add a new product that has not been properly vetted for security issues. If the CISO reports to the CIO, who is more focused on getting the product out there, the CIO may silence the security team’s concerns and bypass regular procedure. In some cases, the CIO may dictate what the security team can or cannot review or even telling the security team how to perform reviews.
In a recent LinkedIn poll, we asked if the CISO should report to the Board, legal/compliance, finance, or IT. Out of nearly 1000 votes, 75% stated the CISO should report directly to the board. Many individuals stated that avoiding conflicts of interest was the reason to report outside of IT. It bears the question of why the CISO often doesn’t have a seat at the executive table, and many organizations do not give this role a C-suite designation. Instead of a “CISO”, many organizations have a Security Officer, or data security manager, or VP of security.
It is true that there are several reporting structure options that may work. On the other hand, it is clear that conflicts of interest are a concern and have stirred trouble in companies. The CISO role should operate similar to Risk and Compliance and have a voice at the top. If an organization is serious about cybersecurity, hire security minded leadership and ensure reporting structure avoids conflict of interest.