Should the Chief Information Security Officer report to the CEO or the CIO? Technology research and analyst organisation IDC has predicted that as the cyber security threat increases, 75% of Chief Security Officers and CISOs will be reporting directly to the CEO by 2018. [See also: CISO reporting line - Should the CISO report to the CEO or CIO?]
The situation at the moment is one of CISOs reporting to the CIO, however. Studies by both Forrester and PwC showed around a quarter of CISOs report to the CEO with half reporting to the CIO. Perhaps the trend predicted by IDC is yet to take off, however, with new CISO at Standard Chartered, Cheri McGuire, hired in May 2016 to report to the global bank's Group Chief Information Officer.
Here we look at eight reasons the CSO or CISO should report directly to the CEO and not the CIO:
1. Security is an issure for the entire company, not just the IT department. As a CISO advisor said, "A CISO's job is not to protect IT - a CISO's job is to protect the business."
2. Organisations where the CISOs report to CIOs have 14% more downtime due to security incididents, according to a study by PwC.
3. Organisations where the CISO reports to the CIO have financial losses that are 46% higher, according to the same PwC research.
4. If security concerns threatens to stall an IT project, the CIO might overrule it.
5. The CIO might be reluctant to approve security projects that hinder IT productivity.
6. If a security project costs money, the CIO might choose to spend it on IT instead. Todd Fitzgerald, CISO at Grant Thornton, said that when CISOs report to the CIO, money becomes part of the CIO's pot. "When other projects need more funding or resources to get things done, the money is pulled from security," Fitzgerald said.
7. Reporting outside of the CIO puts the CISO and CIO on a more equal footing with each other, and actually can give security and IT issues more visibility in that way, according to Grant Thornton CISO Fitzgerald.
8. Some regulators are beginning to mandate CISOs report to the CEO - and many more may follow. In Israel, for example, there are laws dictating that CISOs report directly to the CEO.
Do you think a CISO should report to the CEO or CIO? Let us know on Twitter or in the comments below.