The evolution of the CISO role and organizational readiness

If we look at the headlines surrounding recent data breaches, we might conclude that the role of the chief information security officer (CISO) has never been more critical to the success and sustained well-being of an organization. As a by-product of this statement, we also might surmise that the information security organization and where it reports into is also important. This is probably why every recent CISO event includes a conversation about where the CISO and information security program should reside within an organization. The challenge is that however healthy the debate, the question about where the CISO and his/her department should report generally ends with, 'it depends'. To shift from a debate to productive action, maybe the question is not where should the CISO report into but why does it matter?

Frankly, it matters for a number of reasons, not the least of which is that the CISO (or head of information security) is now sharing the repercussions of data breach headlines along with the companies that they represent. This is a very troubling turn of events and why the topic of the role/reporting relationship of the CISO within an organization warrants further discussion and decisive action.

First, the discussion. The protection of information systems and data is integral to business operations, just like human resources and finance functions are foundational within most organizations. Additionally, just as human resources and finance executives are not responsible for the actions of every employee, the CISO is not responsible for the actions of every employee as it relates to information protection. In fact, just like other executives, CISOs are subject matter experts, who often interpret regulations, establish policy, influence employee behavior and monitor for appropriate outcomes.

Second, information security is not simply a technology problem. The National Association for Corporate Directors (NACD), provides very specific guidance stating that "cybersecurity is an enterprise-wide risk management issue, not just an IT issue." This is an important point as companies expand their portfolio of third parties that manage critical company systems and data (often by-passing internal IT departments).

Third, if the CISO continues to receive equal media billing alongside their company when there is a data security breach, the CISO should have the authority to affect change on par with the CFO, CIO and other key executives. This includes a direct line of sight to the CEO and board of directors, and command of a budget that spans outside of the IT realm into all areas of the organization where cyber risk is introduced.

Now, the call to action. As a profession, information security is relatively immature. There is no one size fits all job description or reporting structure. Even CIOs can have different reporting lines based on the company: CEO, CFO, CAO -- to name a few possible bosses. Within the CISO community there are also differences in education, business and technical acumen.

Given the shortage of skilled information security practitioners, let's assume there is no silver bullet when it comes to the "right" reporting structure or personality type that will guarantee CISO success. However, based on numerous conversations, there is agreement that the information security program and its leader must be aligned to the corporate strategy. In order to achieve this, the CISO needs access to other C-level executives to ensure alignment/engagement; allowed to influence and affect employee behavior; authority to report progress and challenges; and receive corporate support should the inevitable 'security event' happen. And, per the NACD, cyber risk guidance needs to be managed as an enterprise risk, and a cross-functional team of key stakeholders should be assembled to develop an information security strategy.

While every organization will need to establish its own plan for addressing information security as an enterprise-risk, there are three activities that necessitate immediate action:

The role of the CISO will continue to evolve, and as recent events indicate there is still much to be done to increase the effectiveness of the CISO. It is critical to take the first steps to ensure that the role has the ability to engage at the appropriate level of the organization, and it has never been more important to build the leadership abilities of the CISO. Every organization should consider how they are addressing their cyber risk and what the role the CISO plays within the business.

About the Authors:

Brian Engle, CISA, CISSP, is chief information security officer and Texas cybersecurity coordinator for the State of Texas. He can be reached at Renee Guttmann is vice president of information risk and member of the Office of the CISO for Accuvant and formerly served as CISO of Coca-Cola. She can be reached at

Join the CSO newsletter!

Error: Please check your email address.

Tags securityAccuvantCISOSecurity Leadership

More about

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by By Brian Engle

Latest Videos

  • 150x50

    CSO Webinar: Will your data protection strategy be enough when disaster strikes?

    Speakers: - Paul O’Connor, Engagement leader - Performance Audit Group, Victorian Auditor-General’s Office (VAGO) - Nigel Phair, Managing Director, Centre for Internet Safety - Joshua Stenhouse, Technical Evangelist, Zerto - Anthony Caruana, CSO MC & Moderator

    Play Video

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

More videos

Blog Posts

Market Place