Where and to Whom Should the CISO Report?
We begin our book with one of the most basic and fundamental issues facing cybersecurity today, namely the reporting structure for CISOs. As our authors will note, this reporting structure has a tremendous impact on the efficacy of the organization’s security operations. This discussion highlights the differences between traditional, IT-focused views of cybersecurity and those that are evolving to view cybersecurity as a risk-management function.
While there are differences in approach and perspective, our authors collectively emphasize how important it is for the CISO to know their organization’s industry, regulatory requirements, and lines of business. This organizational context has important implications for the security operations’ staffing levels and budget.
Bill Bonney highlights how organizations are demanding more of their CISOs and the fact that CISOs are expected to expand upon their deep technical knowledge to also include domain expertise in the areas of risk management and business operations. His analysis highlights how the balance between technical skills and business acumen is frequently influenced by the level of maturity of the organization.
Matt Stamper suggests that the reporting relationship for the CISO reflects how the organization views risk. Organizations that take a more expansive view of cybersecurity and risk will likely have a CISO reporting outside of traditional IT, generally reporting to the CEO or CFO. His perspective is that there are also inherent challenges in having a CISO report into IT. Under these scenarios, the CISO is placed in the unenviable position of having to judge the work of their boss, frequently the CIO.
Gary Hayslip offers a pragmatic view of where CISOs should report depending upon the industry context of the organization. What is clearly emphasized, and all the authors agree on this point, is that organizations that have a designated security officer – a CISO – will have better security outcomes than those who have not formalized this role within their organization. Gary highlights how critical it is for the CISO to truly know the organization – its people, its data, its industry, its applications, and its infrastructure. As Gary notes, “cyber doesn’t exist in a vacuum.”
Some of the questions the authors used to frame their thoughts for this chapter include:
Copyright © 2016, 2018 CISO DRG JV – All Rights Reserved.