What Is The Most Cogent CISO Reporting Structure?

The Board, The CEO, The CFO, The COO, Risk, The CIO

Seth Adler

Reporting for duty is a pleasure for the modern CISO. Thwarting threats to the enterprise is an effort that delights that particular executive. But those threats have expanded exponentially for myriad reasons involving every person in an ever enlarged distributed corporate value chain.

Thus, thwarting threats has become a bigger job that encompasses management of every single person that works in that distributed corporate value chain. User Awareness alone speaks to that responsibility. When you add collaboration with senior business leaders to ensure the distributed workforce is not only aware, but being active in effective user-level cyber defense- you start to wonder about where cyber security actually sits in the enterprise. And when you consider that presenting a business case for the cyber security budget that includes brand trust perception you start to wonder to whom the CISO should report.


Potential conflict of interest is given as the chief reason to that the CSHub community gives for not reporting to the CIO. As the dialogue usually goes, the CIO role is meant to be about quickly advancing technology for the organization. And the dialogue usually continues that the CISO is going to want to see and put controls on new technology before it is implemented. If the CISO is a report to the CIO conflicts of interest arise. That’s a traditional thought pattern.

The CSHub take on this relationship is that a good CISO knows how to present a sold business case for cyber security technology while enabling business through understanding the latest collaboration tools. The modern CISO is already on the front lines of technology procurement for the enterprise. A good modern CISO remains ahead of the distributed workforce to conceive of the future technology and information services reality of the enterprise. To us, it sounds like the CIO could report to the CISO soon.

To be clear, no CISO to whom we’ve spoken has suggested this scenario. And further, no CISO that we know is necessarily interested in taking on this behemoth task. All that said, it seems like a change that makes cogent sense for the enterprise based on where external reality is taking the CISO role.

The COO, CRO, Risk Committee

Risk can report up through the COO or to a CRO. Horizon Power CISO and CSHub APAC Summit speaker Jeff Campbell notes, “it's moving outside of technology, and we're starting to see reporting through to risk bodies or corporate governance bodies.” And financial services sector CISO and future CSHub Fiancial Services speaker Tom Kartanowicz agrees, “while the historical view where CISO, cyber, is an IT problem. And there's still validity. There's still a lot of it components to cybersecurity, but there's more to it in, in 2020. There's a whole element of risk now.”

Kayne McGladrey is the Spokesperson for IEEE’s Public Visibility Initiative. He’s been working at a high level with Fortune 500 and Global 1000 companies for decades. He’s got a pretty definitive point of view. “Ultimately the CSO should report to the Chief Risk Officer, the CRO- because ultimately cyber security is about managing risk at a technical level and at a regulatory level. The natural alignment is with risk.” While his preceding comment is myopic, his subsequent thought pattern includes a more Business Information Security Officer vision.  “Also maintain a very healthy relationship with internal counsel- especially if there's chief counsel. Have a coffee every once in a while. And have a healthy relationship with the CIO.”


Those who are already adept at creating a business case that shows the potential vast losses the company can face if not well defended, place this title on the list.


If the entire enterprise is affected by the CISO, some think that the best line of reporting is to the CEO.

The Board

And if it’s the entire enterprise value chain- the only place in which to report would be the board, as argued by some. Kayne McGladrey did chime in on this possibility, “you cannot effectively regulate your boss. It’s a good alignment if the CSO reports directly to the Board- as opposed to having to report through somebody to the Board. Obviously, that produces some interesting budgetary outcomes, as the CSO and the CIO- who previously might have argued over budgetary allocations- have equal footing in those conversations.

The Bottom Line

The CSHub Interactive Discussion on our Mid Year Report findings focused on five main tent pole conversation pieces- Approach vs. Strategy, Talent, Budget and Technology and Q&A from the community. The approach vs. strategy conversation was dominated by effective user awareness objectives, campaigns and strategies. The focus was on the fact that-as noted above- every single person in the distributed enterprise is on the cyber security team. And the CISO must manage that team.  The talent conversation was around finding and keeping good talent. And the budget conversation focused on making the business case for more budget.

Those are all business subjects. Only 1/5 of our time was spent on technology. A business principle theme dominated questions from the community. This conversation will continue, but cyber security simply being a piece of the IT department in a global corporate enterprise is just not the case any more.

Running an effective company means having clear and consistent communication and clear and consistent division of responsibility between the people that run that organization. So the CISO role really must find it’s rightful place on the organization chart.

But Jeff Campbell might have put it most magnanimously, “as long as you have buy-in from the executive and have remit to provide necessary services, rather autonomously, but collaboratively, across the organization, then it doesn't really matter.”