Lessons from the field: who should the CISO report to?

It’s spring (officially anyway), and everyone trots out the organizational article, who should the CISO report to?  Besides being fun, moving around reporting structures often passes for progress in most corporations.  I’ve been in all these situations.  So, here we go;

The CISO reports to the CTO:  usually a mistake.  This is the fox watching the chicken coop.  The CISO needs to act as an honest control to make sure security is incorporated into technology.  That’s hard to do when the head of technology is paying your salary.  This seldom works in the long term as technology delivery short term is often traded for long term security.  Very difficult for a CISO.

The CADO:  because everything’s software these days?  This has all the same pros and cons, and mostly cons, of the CTO.

The CISO reports to the CIO: better than reporting CTO as you are now on an equivalent footing with the heads of technology and application development.  Still not great since the CIO’s primary function is to deliver technology at cost to the firm. This can work, if you have an extraordinarily conscientious CIO who realizes security is part of delivering that solution at cost.  It still seems the most prevalent model.

The CRO:  this concentrâtes the CISO job on risk evaluation.  Risk evaluation, as I’ve written, is an important part of the output of the CISO function, but not the only part.   I haven’t seen this work for myself or any of my collègues.

The Chief Counsel:  this concentrates the CISO job on the legalistic aspects.  Trying to build security protections into contracts.  It divorces the CISO from the technology and risk function. Also, you are expecting to protect the form in court from security incidents, that is gonna be hard.  It’s like closing the barn door after the cow has escaped, when you have no idea where the cow hs gone to.  I haven’t seen this one be successful either.

The CAO:  the chief administrator is concentrated on making the bureaucracy work more for efficiently, not putting in tollgates.  I haven’t seen this model.

The CFO:  I mention this because some of my collègues have been in this situation.  The bean counters are great in that they focus the management of the firm on the performance key result that will summarize the firm:  money. They do a great job of that.  They don’t know Cybersecurity or Cyber in general.  You can’t control security with monetary incentives (we’ll mostly you can’t).  As an experimental data point, I haven’t seen this work either.

The COO:  better since you are now a peer of the information/technology delivery organization (CIO), which you are supposed to secure, and the risk organization (CRO), which you need to provide risk evaluations for.  You are also the peer of legal, so can help build security checkpoints into contracts (esp. important with SaaS vendors). You are also the peer of procurement.  So, you can build security vetting into all purchases of software, etc.  Again, this is important in a world of SaaS.  As a peer of the CFO, you can start to track and invent spend for security, and influence the reward ROI for security.  You also, as CISO, have to report to the Board frequently.  So does the COO.  So the COO can help with this important constituency.  You may also have the physical security guys report to you, which makes no sense.  Physical security is its own speciality.  Why would a tech guy like me know anything about most of it outside of securing computers?  Personally, I’ve been most successful with the COO model.  At least you are starting to get the right influence for what most companies say is a top goal:  security.

The CEO:  Franky, it’s coming to that.  If security is really a top OKR (see John Doerr, Intel, and Google), then who better to make that happen than the CEO.  It gives the CISO a corporate wide influence and budget.  I’m not the first to suggest this by far (see Gartner and CIO magazine).

So, there you have it:  COO or CEO if security is really a top corporate objective and the company wants to drive that key result.