CISO Reporting Structures Are Changing With The Times

Summary: This 3-minute article explores the increasingly important role of Chief Information Security Officers in advanced cyber security for businesses. Learn how the ideal CISO reporting structure has evolved. Contact DIGIGUARD CYBER SECURITY at 833-33-CYBER (833-332-9237) or visit www.DIGIGUARDsecurity.com for a cyber risk analysis and to discuss the importance of CISOs and the best way for your company to design CISO reporting.

Cybercrime is at an all-time high. The recently expanded remote-access work environment has given hackers new opportunities to target businesses. The increase in cyberattacks has prompted many companies to create the position of CISO Chief Information Security Officer. As companies of all sizes have become digitally dependent, they have discovered the need for a “point person” responsible for protecting all their business data. The responsibilities of CISOs include overseeing the development and implementation of cyber defenses and best practices. Their goal is to mitigate the chances of their business falling victim to an attack. Also, they must communicate effectively with the C-level executives and Board members. Unfortunately, even though many companies understand the value and role of a CISO, they often don’t understand the importance of a proper CISO reporting structure.

CISO Reporting

The most common CISO reporting structure has the CISO reporting to the CIO (Chief Information Officer). The original logic behind this structure is that the CIO is the head of the department; therefore, all key personnel should report to them. However, companies have recently found that CISOs can be most effective when they report directly to CEOs (Chief Executive Officers).

CISO to CEO Reporting

CEOs are charged with final decisions on all company security-related issues. Therefore, by directly reporting to the CEO, the CISO can support cyber security being a top-line priority in the Executive team’s mindset. In addition, there are several other reasons:

• Direct Impact On Business Strategies – In the digital age, all aspects of IT come into play in overall business planning. With the dramatic increase in cybercrime, security issues must be considered in many areas, and hard-earned, private business data must be protected from hackers. To that end, direct input from CISOs has become vital to securely operating a business. Their security-related contributions to strategic planning can impact expansion plans, investments, online marketing and many other aspects of data security.
• Top-Level Two-Way Communication – CISO to CEO communication cuts out the middle man and helps ensure the CEO clearly understands any security considerations without outside editing or filtering. Direct communication also will make sure that the appropriate cyber security protections will be part of budgetary planning and the allocation of resources.

Unfortunately, having CISOs report directly to CEOs can impact their relationship with company CIOs. Unless the CISO and CIO have a close collaborative relationship, jealousy and tensions between them can arise. Furthermore, a CEO’s time to address security issues is limited. Therefore, they might not have time to discuss security with both the CISO and CIO.

CISO to CIO Reporting

In companies where CIOs are responsible for all IT projects and data security, it might make sense for the CISOs to report directly to them. Other benefits include:

• Clear and Transparent Chain of Command – For companies going through changes or rapid growth, it is beneficial for the chain of command to be clear from the top down so that everyone knows the most efficient way to communicate with each other about data security matters.
• Collaboration and Shared Knowledge – CIOs often have broad perspectives and experience in information security. The sharing of knowledge between CIOs and CISOs can lead to new ideas, protocols and cyber security synergies, thereby enhancing the impact of both positions. As the saying goes, “Teamwork makes the dream work.”

CISO to CFO Reporting

Another scenario is CISOs reporting to the CFOs (Chief Financial Officers). Although it is helpful to acknowledge and balance budgetary considerations, CFOs are not charged with a company’s information security. Therefore, by viewing security as a monetary concern or a line item on a budget, CFOs can miss the boat on understanding the more significant issues of rising cybercrime and data protection. On the other hand, a critical benefit of CISOs reporting to CFOs is that when the CISOs understand the financial implications of an issue, they can better customize their IT strategies accordingly. Also, CFOs are always looking for ways to save money and maximize profits. So, if CISOs can prove the need and cost-effectiveness of data information security initiatives, their CFOs will be more likely to support them.

Virtual CISO Services

Many SMBs cannot afford to have CISOs on staff. However, in our remote-access work environment, many CISO responsibilities can be performed by virtual CISO services or vCISOs. By outsourcing the CISO position to IT experts and using the services of a vCISO, small businesses can receive most of the same services an in-house CISO can perform. These duties include data protection, cyber security strategies, security assessments, security reporting and building a strong CISO reporting structure. In addition, services provided by vCISOs are scalable and can be augmented or reduced as your company evolves. Finally, higher-compliance companies can use vCISOs to ensure all laws and regulations are followed.

Hackers are constantly working to find ways to breach business data, and CISO roles are in a constant state of expansion. Therefore, SMBs must make informed decisions about the type of CISO reporting structure that is best for them.