For years infosec pros have been asking why CISOs aren’t part of the C-suite — after all, what’s the use of having “chief” in your title if you aren’t one of the chiefs?
There are probably lots of reasons, ranging from possibly suspicious CEOs worried the CIO and CISO will team up together giving them two votes, CEOs worried about the strain that might happen if the CIO and CISO vote against each other to the mundane (Oh, not another voice at the table.)
Steve Morgan, CEO at Cybersecurity Ventures, a U.S. security market research firm, decided to canvas its LinkedIn network for expert opinions. Here’s a few:
–“There is no single cookie-cutter structure. … There are many organization-specific factors that come into play (size, resources, etc.). Do what’s best for the organization to achieve the risk level acceptable to the organization.”
–The compliance leader should report to the board, and the CISO reports to that person. ““The board needs to understand the unfiltered risk,” explains this board member and former CIO. “Some will say: In a perfect world, everyone collaborates well, and the reporting chain doesn’t matter. So, of course, it does out here in the real world.”
–“CISOs should report to the CEO with further exposure and responsibility to the board of directors,” said a security vendor exec. “The time has come for boardrooms to consider cybersecurity a key requirement of every organization’s core infrastructure along with a financial system, HRMS, CRM, etc., necessary to ensure the livelihood and continuity of the business.”
–“A CISO should report to the role in the organization that allows them the budget and influence necessary to integrate effectively into the business,” said a director of cybersecurity at PriceWaterhouse Cooper in the U.S.
This may be a tempest in a teapot. If the senior leadership in an organization understand how vital cyber security is today and are willing to respect — and respectfully negotiate with — an expert then the reporting lines aren’t important.
OK, I can hear readers chuckling now.
“Although many CISOs today are part of the C-suite, surveys show they are still generally held in low regard by their colleagues,” Alberto Yépez, managing director of Trident Capital Cybersecurity, wrote in a blog earlier this year . “Too many other C-suite executives think their skill set is too narrow, and that they are non-strategic outside the realm of security and insufficiently fluent in business. After all, the ultimate goal of all business executives at public companies is to build shareholder value, not to merely oversee a specific function.”
To fight this, in his view CISOs need to gain business acumen and analytics, understand how to build relationships and be creative.
There is some movement. Some organizations have made half steps towards CISO independence by having that person report both to the head of IT as well as another executive such as the chief operating officer, notes a column by Raymond Pompon a principal threat researcher evangelist with F5 labs. Even then, he adds, there’s research showing that the trend is shifting away from CISOs reporting only into the IT organization.
Like some, he expects more CISOs to move out from under IT, especially as the importance of cybersecurity becomes more critical.
Hopeful or hopeless? Let us know your thoughts.