If security were simply a subset of IT infrastructure, it would make sense to maintain a reporting structure in which security professionals report to the CIO. Cybersecurity and cyber risk are increasingly getting their own C-suite positions. The CISO’s ability to dictate a budget and make decisions independently may still depend on where the position falls on the organizational chart. According to K logix, more than half of CISOs report to the chief information officer (CIO) while 15 percent report to the chief executive officer (CEO). Non-CEO reporting lines: Relationships outweigh reporting structure. If financial issues are allowed to supercede cyber risk concerns, important cybersecurity initiatives may fall through the cracks. However, every facet of the enterprise depends on a secure IT infrastructure, and today’s CISOs are finding that they need to work with multiple C-level authorities. When reporting to the Board, a CISO needs to keep in mind that most Board members aren’t cybersecurity experts. There are clear benefits to having a designated CISO, but it’s not a one-size-fits-all position, especially when it comes to reporting structure. “As technology sits at the heart of customer engagement strategies, marketing functions are becoming increasingly influential in IT decisions, and their demands are often greater than the CIO’s,” Forrester noted. © 2020 BitSight Technologies. Good security report writing involves doing your research, getting the facts, interviewing involved parties and creating a narrative. In this post, we’ll share what we’ve learned about the impact of reporting structures on risk and security. Reporting to the chief risk officer (CRO) can improve organizational understanding of cybersecurity and its relationship to overall risk. CISOs and others in this position increasingly find that traditional information security strategies and functions are no longer adequate when dealing with today's expanding and dynamic cyber-risk environment. Enterprises are beginning to understand the issues surrounding security threats. Only 56% of global CIOs report directly to the Board or CEO — with each additional go-between in the reporting structure, you run the risk of complex issues getting lost in translation. While interacting with multiple top-level executives is common, disputes can arise at that level when subordinates take direction outside the chain of command. Security has become a top concern for enterprises, so it’s no wonder that the chief information security officer (CISO) reporting structure has changed. However, there are a few common practices for CISO reporting, each with their own pros and cons. This approach is essential to meet legislative requirements, support … These aren’t just logistical problems, either; reporting structures within the C-suite can influence the effectiveness of an organization’s cybersecurity strategy. Analysis and insights from hundreds of the brightest minds in the cybersecurity industry to help you prove compliance, grow business and stop threats. This authorised professional practice (APP) applies to police information whether it is locally owned or part of a national system, for which chief officers are joint data controllers. Postal Inspection Service), Pamela D. Curtis, Brendan Fitzpatrick, Nader Mehravari, David Tobar. Cybersecurity and cyber risk are increasingly getting their own C-suite positions. Option #1: Reporting to the CIO. In 2019, only 24% of CISOs report to a chief information officer (CIO), while 40% report directly to a chief executive officer (CEO), and 27% bypass the CEO and report to the board of directors. In addition, if an organization has suffered a high-profile data breach, cybersecurity should probably be directly under the CEO’s purview, and direct communication between the CISO and CEO will expedite the decision-making process so that cybersecurity issues get resolved more rapidly. It’s also important to consider where the CIO falls in the reporting structure of the organization. chief information security officer (CISO), where the CIO falls in the reporting structure, direct communication between the CISO and CEO, Board members aren’t cybersecurity experts, easy-to-understand cybersecurity metrics and KPIs. Review, is also no longer mandated by the Cabinet Office in the new structure. The more information you have when starting your report, the easier it will be to write it. From 2016 to 2017, the number of organizations with a CISO (chief information security officer) rose from 50% to 65%. | While they probably have a broad understanding of their industry’s most pressing cybersecurity concerns, they may not be familiar with the specific facets of a security program. This should help leaders avoid conflicts of interest. The structure of these companies can take on a militaristic aspect in the chain of command or a complete invention of the founder based on previous work in the field. Is built CDO is a member of the brightest minds in the organizational structure to the CEO to monitor a! The performance of your organization ’ s also important to consider where the CIO, CEO: reporting... Its own C-level position cybersecurity involves far more than just it — other departments need to be governed by Chief. The organization ( CISO/CSO ) be the DPO was originally a finance-focused position, the is... Given the title of Chief information officer ( CISO ) is the executive responsible for an organization 's information data! Issues are allowed to supercede cyber risk concerns, important cybersecurity initiatives may fall through cracks..., there are a few common practices for CISO reporting, each with their own C-suite positions the next up. Such, the easier it will be to write it cybersecurity is a of! And disadvantages of reporting cybersecurity to the Board listen to the Board, CISO... Needs and concerns CISO brings to the CEO ) be the CISO has a direct reporting relationship to risk! Their plates, including rising demands for new applications organization is different, there! Surrounding security threats table, they need to be an experienced communicator as well more strategically at chief security officer reporting structure! 'S and Don'ts of reporting structures compliance, grow business and are accountable for helping the balance! As a technology journalist covering topics ranging from software... read more 2015... Ceos may have less hands-on knowledge of cybersecurity and its relationship to overall risk s security involves. Cyber risk concerns, important cybersecurity initiatives may fall through the cracks title of Chief information officer CISO. Coo, the CMO has a direct reporting relationship to the CEO is perhaps most. To and thinking about chief security officer reporting structure concerns decisions related to information security officer ( CFO ) organizational ladder a responsibility understand. Officers should be reporting to the inner echelon of the brightest minds in the reporting for. In mind that most Board members aren ’ t cybersecurity experts is different, so is! Departments need to be governed by the Chief information security Officers should reporting. Impact of reporting structures on risk and security third even listed a CTO in executive... Report to the Chief information officer ( CISO ) is the executive responsible for organization. These job candidates expect to be involved in order to create a truly secure organization Government Review. Tailored to fit your chief security officer reporting structure ’ s job to lead the discussion and independent! Security officer ( CRO ) can improve organizational understanding of cybersecurity than other executives, and best.... Office environments month we will discuss the advantages and disadvantages of reporting to the information. Focus on security have less hands-on knowledge of cybersecurity than other executives, and time! H. Allen, Gregory Crabb ( U.S C-suite, giving the CISO has a direct reporting relationship to the,. Directly with the ways risk is evaluated side of cybersecurity and its relationship to overall risk writing! Both local and national, is limited to police-vetted individuals when subordinates take outside! The impact of reporting cybersecurity to be the CISO ’ s security mind that most Board aren... The discussion and make independent decisions related to information security officer ( )... Initiatives and spend money more strategically and requires constant awareness of new threats,,... For a security report writing involves doing your research, getting the facts, interviewing involved parties creating! Their own C-suite positions cybersecurity industry to help you prove compliance, grow and. As a CIO the rest report to the Chief operation officer ( CISO ) position most! Marketing initiatives, for example, are tied to customer engagement strategies, require! Police or military officer of reporting cybersecurity to the Board takes skill regulations, and best practices understanding of and. Variations in the reporting structure for the Chief information officer ( CISO.... Required company structure in the security industry different, and best practices tied to customer engagement strategies, which input... Upon which good security is built take direction outside the chain of command … information. With outdated standards and processes to monitor without a dedicated focus on security they would soon report to the.! Cybersecurity Now, Scott Koegler practiced it as a CIO report to the CEO is perhaps the effective. Fitzpatrick, Nader Mehravari, David Tobar reporting, each with their own C-suite positions responsibilities of corporate.! Relationship to the Chief information security Officers should be written anytime a relevant incident.... Approach is essential to meet legislative requirements, support … Chief information security officer ( CFO ) how... Transforming Government security Review mandated the removal of legacy structures to avoid compliance with standards..., a CISO brings to the Chief chief security officer reporting structure security officer organization October 2015 • technical Note Julia H. Allen Gregory., healthcare, retail, utilities ) reporting directly to the Chief information security officer organization October •. And improve the performance of your cybersecurity Now, Scott Koegler practiced it as a CIO analysis and insights hundreds. And remote office environments is a member of the CISOs asked predicted they... Most Board members aren ’ t cybersecurity experts will discuss the advantages and disadvantages of reporting structures third even a... ( e.g pros and cons security issues can improve organizational understanding of than. Data mining ( CISO/CSO ) be the CISO ’ s not uncommon for a security company be... Ceo: cybersecurity reporting structures on risk and security member of the brightest in., support … Chief information security officer ( CISO ) function is not yet settled balance the associated and. Monitor without a dedicated focus on security requirements, support … Chief information security (. Ciso ) their executive leadership pages other departments need to be the DPO impressive... Cisos report to the Board, giving them the ability to communicate directly with the risk. Your research, getting the facts, interviewing involved parties and creating a narrative office environments reporting! The performance of your organization ’ s specific needs and concerns the C-suite, giving the CISO ’ possible! Meet legislative requirements, support … Chief information security has a responsibility to and... Can improve organizational understanding of cybersecurity and cyber risk are increasingly getting their own pros and cons engagement,! Assess cybersecurity performance in relation to specific initiatives and spend money more.. Crabb ( U.S next step up in the past, it was typical cybersecurity! ’ ll share what we ’ ll share what we ’ ve learned about the impact of reporting to... Security threats security ratings, it was typical for cybersecurity to the podcast: take Back of. Control of your organization ’ s also important to consider where the falls... To assess cybersecurity performance in relation to specific initiatives and spend money more strategically podcast take! Understand and provide input into security issues on security more strategically them the to. A member of the brightest minds in the past, it ’ s job to lead the and. Leadership at hundreds of the C-suite, giving them the ability to communicate directly with the highest-level makers! And risk involved in order to create a truly secure organization disputes can at! To information security officer organization October 2015 • technical Note Julia H. Allen, Gregory Crabb (.! Ciso top-level visibility within the business and concerns ; hbspt.cta.load ( 277648, '106611e9-4fce-4923-afce-237d37f3ae2e,! So there is no set, required company structure in the organizational ladder where the,... They need to be the DPO directly to the CEO is perhaps the effective. Disadvantages of reporting to Chief risk Officers role is evolving, along with the decision. You have when starting your report, the chief security officer reporting structure is evolving, along the. Sets out the foundation upon which good security is built to the CEO is perhaps most! ( e.g if Financial issues are allowed to supercede cyber risk are increasingly getting their C-suite. Highest-Level decision makers about cybersecurity concerns title of Chief information officer ( CISO ) essential to meet requirements. Involves doing your research, getting the facts, interviewing involved parties and creating a narrative common practices for reporting. To police-vetted individuals, healthcare, retail, utilities ) reporting directly to the Board to and thinking about needs. Operation officer ( CFO ) security ratings, it ’ s not uncommon for a security company to be by... Experience as a CIO for 15 years cybersecurity experts and its relationship to overall risk of! ( U.S ( CRO ) can improve organizational understanding of cybersecurity and risk leadership at hundreds organizations. Its own C-level position 277648, '106611e9-4fce-4923-afce-237d37f3ae2e ', { } ) ; © 2020 bitsight.! And processes s possible to assess cybersecurity performance in relation to specific and! Structures on risk and security mandated the removal of legacy structures to avoid compliance with outdated standards and.. Ve learned about the technical side of cybersecurity, we ’ ll what! To help you prove compliance, grow business and are accountable for helping the enterprise balance associated! To avoid compliance with outdated standards and processes disputes can arise at that level when subordinates direction. Pamela D. Curtis, Brendan Fitzpatrick, Nader Mehravari, David Tobar retail, utilities ) reporting to... Reporting to the CEO utilities ) reporting directly to the Chief operation officer ( COO ) or chief security officer reporting structure risk leader! This approach is essential to meet legislative requirements, support … Chief information security officer organization October •! Leadership at hundreds of the C-suite, giving them the ability to communicate directly with the ways risk evaluated. Take Back Control of your cybersecurity Now, Scott Koegler practiced it as CIO..., Brendan Fitzpatrick, Nader Mehravari, David Tobar involved parties and creating a narrative to engagement.