Reporting relationships are more than lines on an org chart, they’re lines of authority. Ultimately, who the CISO reports to may say more about an organization’s maturity than it does about an individual’s effectiveness.
Josh Fruhlinger of CSO.com does a great job of unearthing the conflict CSOs face by reporting under the IT umbrella and the advantages of changing the reporting structure. Some highlights are listed below, but read the full article here>>
A recent Global State of Information Security Survey 2018 (GSISS) 2018 survey revealed that reporting structure does have some effect on the financial impact of security incidents (see chart below).
In organizations where the CSO reports to the CIO, respondents reported average estimated total financial losses of $2,577,513 due to security incidents. Those that report to the CEO had estimated losses of $2,545,742, and those that report to the COO had estimated losses of $3,119,717. The reporting relationship with the greatest estimated losses: CSO to Legal Counsel, with losses of $3,773,931.
Getting the ear of those decision makers is one of the most important reasons why a CSO might want to get out from under the IT umbrella — and the closer you can get to the top, the better. “In an ideal world, a CSO/CISO would report directly to the board of directors,” says Kudelski Security’s Hicks. “Given the political realities at most firms, I think a more realistic target is to report to the CEO or equivalent.
For a CISO or CSO to be truly effective, they need access to the central decision-making process and the authority to participate in that process as an independent voice. To truly provide guidance to the organization around the security of its information and assets, you need to be in the executive level decision-making conversations. And not simply as an observer: you need a full vote.”
Having top leadership’s ear has concrete and practical benefits when it comes to getting the resources a CSO needs. “Typically, in successful organizations with a strong culture of security, we see the CSO report to leaders such as the CFO or COO,” says Chris Duvall, Senior Director at The Chertoff Group. “These leadership roles are often heavily involved in the day-to-day decision making and have the ability to understand and incorporate long-term security needs into capital expenditure planning, as well as to resource and extract ’emergency’ requirements and funds when necessary,” he says.
The respect you deserve
A CSO who reports to the top is taken more seriously, which can only add to their job satisfaction. An organizational distance from decision makers “is one of the most common reasons the average tenure of a CISO is around 18 months,” says Hicks. “It’s not an easy job to begin with, and if it’s not set up for success, it’s untenable over the long term.” If a company is looking to hire a new top security exec, according LaSalle Network’s Wallenberg, it “will have more success in attracting top-tier talent if the CSO reports to the CEO.”