Who should the CISO report to?

It seems like a simple question. After all, there seems to be little debate about where other C-suite officers should report. While there have been some discussions about the reporting structure for such C-level executives as the chief privacy officer and the chief compliance officer, these are relatively tame compared to the heated debate that I have witnessed and been a part of over the past few years.

The fact that this question is asked at all is an indication of the growing acceptance of the CISO role and function. In 2006, only 22 percent of the more than 7,000 organizations responding to PricewaterhouseCoopers' annual information security survey reported having a CISO or equivalent. By 2011, more than 80 percent of respondents reported having a CISO.

[Also see What is a CSO? | CSOs and business value]

But there remains strong disagreement about to whom the CISO should report. The prevailing recommendation is that the CISO absolutely should not report to the CIO. According to many people who write on this topic, having the CISO report to the IT organization is an inappropriate segregation of duties. However, the fact is that between 40 percent and 60 percent of CISOs do report to the CIO or IT executive, depending on industry. And in some industries there is a clear trend toward this reporting structure.

Even if we all agreed that the CISO should not report to the CIO, that does not answer the question. If you ask seven world-class organizations where the CISO should report, you might well get seven world-class answers, each of them vehemently defended by the company that proposed it.

Let's take a step back and take a look at the question from a different perspective. When you are introduced to a doctor, you would probably ask, "What type of doctor are you?" The response will indicate the doctor's specialty, skills, training and experience. And if you were looking for an attorney or accountant, your first question to them would be what type of attorney or accountant they were.

When introduced to a CISO, you can't ask that question. We do not think of there being types of CISOs. The question we tend to ask instead is, "Where do you report?" Who a CISO reports to is a general indicator of the types of duties he or she performs. For example, it's likely that a CISO who reports to legal and compliance won't have security operations responsibilities, but one who reports to the manager of network operations and infrastructure probably will.

The variety of CISO job descriptions are further evidence of the diverse skill sets that organizations currently require from people in that role. A few factors that influence where the CISO reports include enterprise strategy, organizational culture, the company's history with the CISO function, the business's security incident experiences, and compliance requirements.

I suggest that different organizations require different types of CISOs based on these considerations. Of course, circumstances change over time and may require a change in the CISO's reporting structure.

Three Types of CISO

There are three major types of CISOs. Most versions of the role will be a mix of more than one type, but these descriptions provide some insights into where the CISO should report.

1. The Technical Information Security Officer (TISO)

The TISO specializes in technical security issues, operations and monitoring, which includes managing firewalls, handling intrusion-detection and intrusion-prevention systems, and so on. The TISO also coordinates and manages technical policies and control and assessment activities. This person should report to the CIO, CTO or IT management.

2. The Business Information Security Officer (BISO)

The BISO specializes in information security issues related to the business, such as how to securely implement customer-facing technologies and how to appropriately protect customer information. A major purpose of the BISO is to ensure that the business unit or division understands that information security is a business requirement like any other. This person also assists in the implementation and translation of enterprise security requirements, policies and procedures.

Additionally, the BISO should perform business security assessments or, at a minimum, coordinate between identified business-related security issues. Ideally, there should be a BISO embedded in every major business unit or division, and he or she should report to business management.

3. The Strategic Information Security Officer (SISO)

The SISO specializes in translating high-level business requirements into enterprise security initiatives and programs that must be implemented to achieve the organization's mission, goals and objectives. The SISO must coordinate with the operations officer and the BISO to ensure appropriate progress. The SISO should also be responsible for metrics, dashboards and executive reports, and for presenting assessments of the state of security in the enterprise to the board of directors. The SISO should report to an executive management function such as the chief risk officer, chief operating officer or chief legal counsel, or to an executive management committee.

[Also see How to organize for enterprise risk management]

When considering who the SISO will report to, think about whether superior executives will be able to appropriately support the SISO. For example, would the CEO be able to spend as much time with the SISO as is needed? The SISO should be also able to represent the corporation externally, that is, with third parties or in cyber insurance discussions.

You may infer that you need more than one type of CISO for your organization--and you may be right. In fact, for some organizations, one CISO is not enough. Seven percent of organizations responding to the PricewaterhouseCoopers's 2011 global information security survey reported having more than one CISO. So, to whom should the CISO report? The short answer is: to the most effective manager, depending on the type of CISO.

John Kirkwood is chief information security and strategy officer for Security Innovation. He is also the chief strategist for Smbiosys. Previously, John has been a global chief information security officer for Royal Ahold and American Express.

Join the CSO newsletter!

Error: Please check your email address.

More about American Express AustraliaetworkISOPricewaterhouseCoopers

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by John Kirkwood

Latest Videos

  • 150x50

    CSO Webinar: Will your data protection strategy be enough when disaster strikes?

    Speakers: - Paul O’Connor, Engagement leader - Performance Audit Group, Victorian Auditor-General’s Office (VAGO) - Nigel Phair, Managing Director, Centre for Internet Safety - Joshua Stenhouse, Technical Evangelist, Zerto - Anthony Caruana, CSO MC & Moderator

    Play Video

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

More videos

Blog Posts

Market Place