As cybersecurity threats continue to evolve and become more complex, it is essential for organizations to have a strong cybersecurity strategy in place.
This strategy includes having a chief information security officer (CISO) who can manage and mitigate the organization’s cybersecurity risks. However, deciding who the CISO should report to can be a challenging decision for executive business leaders.
So, what is the answer? As with most things related to cybersecurity, “it depends.” There really is no one-size-fits-all answer to this question. However, there are a number of considerations that should be taken into account to ensure the success of both the organization and the CISO.
The first consideration when deciding who the CISO should report to is aligning this decision with the company’s overall strategy, cybersecurity organizational maturity, as well as industry and specific business context.
If the organization is focused on stability, has a low risk tolerance and has low cybersecurity maturity, then the CISO could effectively report to the chief financial officer (CFO). In these organizations, the CISO function is often rolled into the responsibility of the CIO, who plays a dual role.
This structure would ensure that cybersecurity risks are managed cost-effectively as part of the organization’s overall risk management framework, assuming one exists. However, the unintended consequence of this structure could be that cybersecurity is viewed as an IT function rather than a business function, resulting in silos of communication, inadequate resource allocation and increased potential for vulnerabilities to emerge for attackers to exploit across the organization and its infrastructure.
If the organization is focused on a moderate program of digital transformation and innovation and has a medium to high level of cybersecurity maturity, then it may make better sense to have the CISO report to the CIO.
This structure can ensure that cybersecurity is integrated into the organization’s technology and business processes. However, it may also create a conflict between the priorities of the CIO, which could include cost reduction or improving user experience, and the CISO as security becomes an expense item that also creates friction to user experience and adoption.
If the organization is focused on extensive digital transformation and innovation and has a medium to high level of cybersecurity maturity, then reporting to a chief risk officer (CRO) or directly to the CEO makes the most sense. This structure ensures that cybersecurity is viewed as a business function and is integrated into the organization’s overall risk management framework. It also provides the best access for the CISO to the executive leadership team to inform business decisions and provide regular updates on the organization’s cybersecurity posture.
Another critical consideration for success, regardless of where the CISO reports, is the level of authority vested in the role and the degree of assigned people and resources under the CISO’s direct control. The higher the CISO’s position in the organizational hierarchy, and the greater accountability they carry, the more critical it is to match their responsibilities with an appropriate level of authority to manage and mitigate cybersecurity risks. This includes decision-making power over budget, staffing and technology investments.
Determining who the CISO should report to is a crucial decision for executive business leaders that should be regularly evaluated, reviewed and adjusted as business operations and context change to ensure the appropriate level of accountability.
However, this decision must also involve empowering the CISO with adequate authority and resources that align with their level of accountability. Only when these considerations are taken together, can organizations ensure that they have the necessary resources and support to effectively manage and mitigate cybersecurity risks.
Kevin Magee is the chief security and compliance officer at Microsoft Canada (www.microsoft.ca).
Print this page