As cybersecurity risk management has emerged as a top strategic priority for companies across industries, the question of whom the CISO should report to has likewise risen in importance. Historically, the CISO reported to the CIO, but companies are increasingly considering a number of alternatives—from placing the CISO in the risk or enterprise data groups to having them report directly to the CEO or the board. Although there is no one-size-fits-all answer, we can provide guidance for companies about the pros and cons of the various options.
Option #1: Reporting to the CIO
Most CISOs have reported to the chief information officer (CIO) since the cybersecurity position was first created—and most CISOs call the CIO boss today, according to Kal Bittianda, head of executive recruiter Egon Zehnder’s North America technology practice group.
Pros: The CIO is the member of the C-suite who best understands cybersecurity issues and, in many cases, is reporting to the board on the topic. Much of a CISO’s spending is directly related to IT. And there would be a cost of disruption to change this approach in many organizations, says Bittianda.
Cons: Although the CISO role was created to secure IT systems and data, “a big part of the role is outside of IT,” says Sandra Konings, partner with BDO Advisory in the area of cybersecurity. CISOs have to consider employee awareness and education, develop security policy and procedures, and cultural change. “When the CISO is reporting to the CIO, it may be easy to influence IT,” says Konings. “But it’s not so easy to influence anyone else.” CISOs reporting to CIOs may also be pressured to focus on technological solutions at the expense of more holistic solutions. The most significant cybersecurity vulnerabilities are the humans in an organization, not its technology stack. Falling under the CIO reinforces the notion that cybersecurity is simply an IT issue, rather than an enterprise one, says Denver Edwards, principal at the law firm of Bressler, Amery & Ross specializing in cybersecurity issues. There can also be a conflict of interest when the CIO must weight security against other priorities such as networking, application development, infrastructure support, and outsourcing, says David F. Katz is a partner and leader of the Privacy and Information Security Practice Group for Nelson Mullins Riley & Scarborough.
Option #2: Reporting to the CRO
Over the last five years, some organizations such as financial services firms and large multi-national companies, have opted to place the CISO under the chief risk officer (CRO).
Pros: “The role of risk function is to give board greater insight into the enterprise risk of the company, not just financial risk so it makes sense,” says Konings of BDO Advisory. “It’s an oversight function and that can help to ensure that everyone does what’s needed to put the right solutions in place.”
Cons: In many companies, the CRO doesn’t report to CEOs so this reporting structure can further distance CISOs from top executives and company strategy. “At one large company, we transferred the CISO to risk and for a year it worked really well,” says Konings. “But the downside is you’re too far away from everything else.”
Option #3: Reporting to the CFO
Companies nestle any number of functions under finance—IT, risk management, procurement, tax, audit—and some situate the CISO there as well.
Pros: The CFO can in-the-know on approaching risk, reports to the board, and may make critical decisions about cybersecurity spending. Although some other C-level leaders have bemoaned the cost-centric focus of a CFO overlord, Egon Zehnder’s Bittianda points out that increasing number of CFOs are evolving in their management approach in the hopes of taking over CEO roles in the future.
Cons: The downside, of course, is that many CFOs want to see returns particularly if they are incentivized on year-over-year earnings growth, says Bittianda. “That can be a tough discussion for CISOs to have because it can be difficult to show the benefits of cybersecurity investments,” says Konings of BDO Advisory. They may lack sufficient technical understanding as well.
Option #4: Reporting to the CDO
The chief data officer is a relatively new corporate role often focused on preserving and expanding the value of corporate data, so there is certainly some overlap with the CISO’s role in protecting that data.
Pros: “A CDO that sees the company’s data as an asset, and who is aware of the company’s defensive skills, could be the right person to be responsible for information security,” says Edwards of law firm of Bressler, Amery & Ross.
Cons: CDOs who see their role as an offensive position, leveraging data to increase revenues may clash with CISOs who see their role as defending the valuable information assets of a company. “This sets an inherent conflict and the end result is to place the CISO in a position of being perceived as potentially hostile to the business objectives,” says Katz of Nelson Mullins Riley & Scarborough. What’s more that new CDO may not be able to give enough attention to cyber issues, thereby limiting the effectiveness of this structure. “Data breaches have become so prevalent that it requires full-time attention,” says Edwards. “Meanwhile, it would be a wasted opportunity if a company has data that could help gain market share, but was slow to execute because the CDO has other challenges to confront.” Additionally, if the CDO does not report to the CEO, this again puts a greater gulf between the CISO and the organization’s leadership.
Option #5: Reporting to GC/CLO
While not a widely employed approach, some companies have opted to move the CISO out from under IT and into the office of the general counsel (GC) or chief legal officer (CLO). This often happens in cases where CEOs recognize the critical nature of cybersecurity and deems that GC as someone to trust with it, according to Bittianda of Egon Zehnder.
Pros: GCs handle significant issues related to information governance and compliance and have a good idea about corporate direction since they often serve as board secretaries. They also tend to get involved when there is a cybersecurity incident. Unlike the CEO or even the CFO, the GC is not burdened with many other direct reports.
Cons: Because GCs don’t typically have many non-legal direct reports, they may not be the best managers. They are also more engaged in episodic security activities, like breaches, than operational issues.
Option #6: Reporting to the CEO
Three years ago, IDC predicted that 75% of CISOs would report to the CEO, but it’s still the exception rather than the rule. This typically occurs in tech-centric companies or those that have suffered high-profile cyber setbacks and demands a CISO that is a true business leader.
Pros: Reporting to the CEO maintains the independence of the CISO role and can enables “frank and candid discussion with respect to risk, resources, prioritizations and conflicts that may arise among the larger group of stakeholders within the entity,” says Katz of Nelson Mullins Riley & Scarborough. A dotted line reporting relationship to the board or some other oversight committee with regular reporting requirements can strengthen this kind of arrangement.
Cons: Cybersecurity, while a high priority, is not central to CEO responsibilities in many organizations. “The greater number of principles who directly report to the CEO reduces the executive’s ability to focus on strategy and organizational leadership,” says Steve Berlin, litigation associate at Rumberger Kirk & Caldwell who helps clients develop cybersecurity policies and defend them in related litigation. A CISO reports to the CEO but is not part of the management team is still a step removed from strategic decision-making. “In many cases, it’s better to report to he CIO, who is part of the management team, and can feed necessary information to the CISO,” says Konings of BDO Advisory.
Option #7: Reporting to the Board
An alternative few companies have considered but is worth exploring is having the CISO report directly to the board or directors or one of its committees.
Pros: “Ultimately, the board is responsible for supervising management. The board needs unvarnished information about a company’s cyber performance,” says Edwards of Bressler, Amery & Ross. “Direct reporting to the Board enables directors to ask probing questions of management without the information being sanitized. It also enables the board to get discrete cyber information outside of board meetings when they may be deluged with an array of issues.”
Cons: For this to work, the company’s board must have members with specific knowledge of cybersecurity issues and a willingness to oversee the CISO role and function.