Ever wonder what the view from other companies is on the role/title/pecking order of the CISO? CSO magazine did a quick interview of several professionals from various companies and got their feedback.
From CSO Online:
Most of the execs we spoke to acknowledged that a CSO reporting to a CIO is still the most common scenario, but was in many cases not ideal. When asked about their preferred reporting alignment, they had a host of suggestions.
CSO-to-CEO: Bloomberg Beta’s Klein likes this arrangement for the “direct and immediate” information flow it provides. And sometimes you win when it comes to the background of your top exec. “Having a technical CEO has been a stroke of luck,” says Amanda Fennell, CSO at Relativity. “It eases typical communication barriers that might inhibit the fast-paced progress we benefit from today.”
CSO-to-COO: But not everyone is so fortunate, and the Chertoff Group’s Duvall worries that with “the myriad of demands placed on the CEO’s attention at any given time, security concerns may fall behind other critical decisions.” By contrast, by reporting to a COO, a CSO has access to a leadership role “heavily involved in the day-to-day decision making.”
CSO-to-CFO: At some companies, the CFO is in charge of preventing all manner of financial losses, which puts security under their purview. However, as Kudelski Security’s Hicks says, “CFOs tend to lack the technical background to understand the intricates of the CISO’s role. In favorable scenarios, they defer and enable the CISO. In less favorable situations their technical gap, coupled with their desire to save money can put the CISO in a difficult position.” Some companies have the CSO reporting to a more specialized Chief Risk Officer(CRO) instead.
CSO-to-General Counsel: Because cybersecurity risks and breaches often have significant legal implications, especially in heavily regulated industries, it can make sense to have the CSO report to the company’s top lawyer. “The alignment of accountability and convergence of perspective around cyber risk that results from this reporting structure can be profound,” says Jason Straight, SVP and Chief Privacy Officer of Cyber Risk Solutions at UnitedLex.
CIO-to-CSO: Seems upside down, but it does happen sometimes, according to Verodin’s Contos. “This is in part because of the consumerization of IT, cloud, mobile apps, and other initiatives that are driven by business units as opposed to being corporate-wide IT decisions,” he says. It’s also driven by corporate history: “One specific example of this reporting hierarchy came about when the CIO was promoted to CISO and hired a CIO under them.”