The CISO vs. the Org Chart

As someone who works with Chief Information Security Officers (CISOs) and who is a virtual CISO for my clients, I found this posting very interesting. It’s not particularly new, but it was new to me when I came across it a couple weeks ago (see excerpt below).

Common CISO Administrative Reporting Structures

  1. Direct to the CEO – This is the ideal of course, as you can usually assume that to have this hands-on approach the CEO takes security seriously. Seriously enough anyway. That said, in this configuration the BoD must take a more active role in order to ensure full CISO independence.
  2. To the CSO – A true CSOs will generally have more than just data security as their remit, but CISO and CSO are very often used interchangeably. So depending on what the CSO actually does, this can be a good fit if s/he does not interfere with the CISO’s dotted line to the BoD.
  3. To the CTO – To me this is almost the definition of conflict of interest, this never works even if the BoD dotted-line is in full effect.
  4. Any other member of the C-Level – At this point, the duties of the CISO are so far removed from the knowledge/skill-set of their manager that it almost doesn’t matter which one you choose. This will be administrative-only reporting in the extreme. But as long as the CISO’s relationship with the BoD is healthy, this should not detract from the CISO’s ability to get the job done.
  5. Below C-Level – If the CISO role is more than 2 layers beneath the CEO, don’t bother having one…

https://www.peerlyst.com/posts/to-whom-should-the-ciso-report-david-froud?utm_campaign=top_posts_on_peerlyst_this_week_10292019

The general gist of the discussion is that CISOs, to be as effective as possible, need a direct line of reporting to the top of the organization (or even be a member of the Board of Directors). Anything less and the CISO’s (often unpopular) ideas about how to improve security will get filtered or even blocked altogether.

In considering this opinion and what it means, I’d like to add a few thoughts of my own:

  • The correct organizational structure does not guarantee success as CISO.
  • A sub-optimal organizational structure should not prevent a motivated, clever CISO from accomplishing a lot of good.
  • Finally, to mimic Peter Neumann’s was quote on encryption[1], if you think organizational structure is the answer to your problem, then you don’t know what your problem is.

What do you think? How big of a role does organizational structure play in the success of a CISO? What are the other important factors that make CISOs successful at improving their organization’s security?

By Terry Bradley, CTO & Director of Cybersecurity Solutions at PLEX


[1] https://crypto.stackexchange.com/questions/39337/why-does-neumann-think-cryptography-isnt-the-solution