Who should the chief information security officer report to? It depends.
It depends who you ask, and it depends on what the organization as a whole wants to accomplish by having a CISO in the first place. That said, for the majority of organizations, it's critical to have the CISO reporting in to a business executive rather than to a technology executive and with as few levels as possible between the CISO and the CEO. The reason is that security success is lower for organizations where the CISO reports to someone who does not report directly to the CEO.
Common CISO reporting structures
CISOs typically report to one of several positions: either a technology position -- typically, the CIO -- or a business position, such as the chief risk officer (CRO), CFO, COO or CEO. The choice depends on how the organization wants cybersecurity to function: as a compliance checkbox; as a safety precaution subordinate to delivering services; as another facet of risk management; as a business enabler focused on ensuring continuity and integrity in operations; or as a transformative business enabler.
CISO to CIO: Cybersecurity as a part of IT
The most common CISO reporting structure is to the CIO, which is typically the least effective option.
It's inaccurate because the CISO is charged with protecting the entire company, not just the company's technology infrastructure, from attack. That means a successful attack damages a lot more than a company's networks and systems. It can cost billions of dollars in market capitalization and tarnish the organization's brand.
It's dangerous because CIOs and CISOs often have competing priorities. When the CISO reports to the CIO, the CIO ultimately has veto power over the actions of the CISO and can control the CISO's agenda and focus. The organization recognizes the importance of cybersecurity since it has a CISO but considers it secondary to delivering IT services.
This reporting structure can indicate that the business sees delivering services with inadequate security as acceptable -- although often only temporarily -- if it means hitting critical deadlines. In this case, doing business quickly trumps doing business responsibly. This organization often sees a lot of retrofitting security for in-house apps late in the process or backfilling security wraparounds for purchased products.
CISO to CFO: Cybersecurity because the auditors demand it
Companies that treat cybersecurity as a checkbox requirement for auditors to approve may put their CISOs -- and, often, their CIOs -- under the CFO. In this case, organizations see cybersecurity, like IT, as a cost of doing business with little or no strategic value. Putting cybersecurity under the CFO ensures that externally imposed requirements are met, while costs are contained and closely monitored. The CISO in this type of organization may not even have a staff or dedicated budget and may have an extremely limited scope of authority.
CISO to COO: Cybersecurity as operational necessity
When the CISO reports to the COO -- typically, alongside the CIO -- it speaks to a recognition that cybersecurity problems have the power to disrupt every aspect of operations. Putting the CISO directly under the COO is an endorsement of the realization that proper cybersecurity is a baseline operational requirement. Reporting alongside the CIO, rather than to the CIO, the CISO has parallel authority and is less likely to have to subordinate cybersecurity policies and requirements to IT expedience.
CISO to CRO: Cyber-risk as part of enterprise risk
Some organizations that consider cyber-risk to be a form of enterprise risk ask the CISO to report to the CRO. This is an effective reporting structure if and only if the organization has a well-structured and mature risk program -- typical of financial firms, pharmaceuticals companies and defense organizations, among others -- and a CRO that reports to the CEO directly.
The value of this reporting structure is that it contextualizes the CISO's challenges, concerns and issues within the broader scheme of enterprise risk, which, theoretically at least, is where they belong. Cyber-risk is just one form of enterprise risk, along with geopolitical risk, innovation risk, etc. That said, organizations that lack a mature enterprise risk program are not well served by having the CISO report into a person who is inexperienced, under-resourced, too far from the ear of leadership or all three.
CISO to CEO: Cybersecurity as strategy enabler
When the CISO reports to the CEO, it is a strong statement that the company sees cybersecurity as a core business concern, one with not just tactical and operational importance, but strategic as well. CISOs in this kind of organization can rely on top-level support for establishing comprehensive security architectures and embracing and implementing zero trust and "secure from the start" models.
The right approach
Nemertes research has shown it is best for the CISO to report to a top-level business executive, not the CIO. This kind of reporting structure is aligned with greater cybersecurity success -- by objective metrics -- than reporting into the CIO or into a lower-level business executive.
In many cases, reporting to the CEO is optimal. Cybersecurity is an existential issue for any company for which IT is integral to doing business -- which is to say nearly every company of any size. Having the leader of cybersecurity efforts report to the leader of the company indicates its importance unambiguously. If a company is big enough to have a CISO, that CISO should report to the top.