Who Reports to Whom? CISO, CIO, CEO: Cybersecurity Reporting Structures

Cybersecurity and cyber risk are increasingly getting their own C-suite positions. From 2016 to 2017, the number of organizations with a CISO (chief information security officer) rose from 50% to 65%. Other security and risk-related executive positions like chief risk officer (CRO) and chief data officer (CDO) have also grown in popularity.

The introduction of these new roles, however, comes with potential confusion about who should report to whom, and questions about how to implement structural changes. These aren’t just logistical problems, either; reporting structures within the C-suite can influence the effectiveness of an organization’s cybersecurity strategy.

Bitsight has worked with IT security and risk leadership at hundreds of organizations. In this post, we’ll share what we’ve learned about the impact of reporting structures on risk and security.

Who’s in charge of cybersecurity?

In the past, it was typical for cybersecurity to be governed by the chief information officer (CIO). However, cybersecurity is getting more complex and requires constant awareness of new threats, frameworks, regulations, and best practices. Therefore, in the current climate, enterprise cybersecurity should have its own C-level position. This position is most commonly given the title of chief information security officer (CISO).

Who should the CISO report to?

Every organization is different, so there is no universal reporting structure. However, there are a few common practices for CISO reporting, each with their own pros and cons.

Should the CISO report to the CIO?

The CIO, being in charge of the IT department, has extensive knowledge about the technical side of cybersecurity. However, cybersecurity involves far more than just IT — other departments need to be involved in order to create a truly secure organization.

Reporting to the CIO may come at the expense of the culture, procurement, and operations functions of cybersecurity, such as promoting company-wide security awareness, assessing cyber risk while onboarding new vendors, and making sure that operating procedures follow security best practices.

It’s also important to consider where the CIO falls in the reporting structure of the organization. The next step up in the reporting line can have an impact on the decisions that affect cybersecurity and risk. Only 56% of global CIOs report directly to the Board or CEO — with each additional go-between in the reporting structure, you run the risk of complex issues getting lost in translation.

Should the CISO report to the CRO?

Reporting to the chief risk officer (CRO) can improve organizational understanding of cybersecurity and its relationship to overall risk. A CRO can come up with risk-based justifications for cybersecurity improvements, and make a case for the CISO’s proposed programs and initiatives. While CRO was originally a finance-focused position, the role is evolving, along with the ways risk is evaluated.

In some organizations, however, CRO remains primarily a financial position, and the CRO may not report directly to the CEO or Board. If financial issues are allowed to supercede cyber risk concerns, important cybersecurity initiatives may fall through the cracks.

Should the CISO report to the CFO?

Because the CFO’s priority is the financial health of the organization, a CISO reporting to a CFO might be unduly burdened with justifying spend.

It can be difficult to prove the effectiveness of cybersecurity initiatives, and unless the CISO can consistently demonstrate in a quantitative way how their proposals will benefit the company financially, this reporting structure can result in conflict and frustration.

On the other hand, this structure can also challenge the CISO to question their resource allocation, and that can be a positive thing. Using tools like security ratings, it’s possible to assess cybersecurity performance in relation to specific initiatives and spend money more strategically.

Should the CISO report to the CEO?

When the CISO reports to the CEO, it allows the security program to maintain independence from other departments and prevents cybersecurity goals from being hemmed in by financial concerns.

For industries in which cybersecurity is a major priority (e.g. finance, healthcare, retail, utilities) reporting directly to the CEO is perhaps the most effective reporting structure. In addition, if an organization has suffered a high-profile data breach, cybersecurity should probably be directly under the CEO’s purview, and direct communication between the CISO and CEO will expedite the decision-making process so that cybersecurity issues get resolved more rapidly.

Reporting to the CEO does have potential downsides. CEOs may have less hands-on knowledge of cybersecurity than other executives, and less time to spend listening to and thinking about cybersecurity concerns.

Should the CISO report directly to the Board?

Some CISOs report to the Board, giving them the ability to communicate directly with the highest-level decision makers about cybersecurity needs. However, reporting complex subject matter to the Board takes skill. No matter how much technical knowledge a CISO brings to the table, they need to be an experienced communicator as well.

Related: The Do's and Don'ts of Reporting Cybersecurity to the Board

When reporting to the Board, a CISO needs to keep in mind that most Board members aren’t cybersecurity experts. While they probably have a broad understanding of their industry’s most pressing cybersecurity concerns, they may not be familiar with the specific facets of a security program.

Board-level presentations should focus on the big picture, demonstrating how cybersecurity initiatives — including those that go beyond IT — can improve the organization’s financial, reputational, and operational health. A good way to communicate this big-picture impact is to keep the Board updated with easy-to-understand cybersecurity metrics and KPIs, such as security ratings, in order to demonstrate measurable progress.

More Than One Answer

There are clear benefits to having a designated CISO, but it’s not a one-size-fits-all position, especially when it comes to reporting structure. Every organization is different, and your reporting structure should be tailored to fit your organization’s specific needs and concerns.

In general, however, the ideal CISO reporting structure will allow for efficient communication and swift progress, while ensuring that all aspects of cybersecurity are represented.