It seems like a simple question. After all, there seems to be little debate about where other C-suite officers should report. While there have been some discussions about the reporting structure for such C-level executives as the chief privacy officer and the chief compliance officer, these are relatively tame compared to the heated debate that I have witnessed and been a part of over the past few years.
The fact that this question is asked at all is an indication of the growing acceptance of the CISO role and function. In 2006, only 22% of the more than 7,000 organizations responding to PricewaterhouseCoopers' annual information security survey reported having a CISO or equivalent. By 2011, more than 80% of respondents reported having a CISO.
But there remains strong disagreement about to whom the CISO should report. The prevailing recommendation is that the CISO absolutely should not report to the CIO. According to many people who write on this topic, having the CISO report to the IT organization is an inappropriate segregation of duties. However, the fact is that between 40% and 60% of CISOs do report to the CIO or IT executive, depending on industry. And in some industries there is a clear trend toward this reporting structure.
Even if we all agreed that the CISO should not report to the CIO, that does not answer the question. If you ask seven world-class organizations where the CISO should report, you might well get seven world-class answers, each of them vehemently defended by the company that proposed it.
Let's take a step back and take a look at the question from a different perspective. When you are introduced to a doctor, you would probably ask, "What type of doctor are you?" The response will indicate the doctor's specialty, skills, training and experience. And if you were looking for an attorney or accountant, your first question to them would be what type of attorney or accountant they were.
When introduced to a CISO, you can't ask that question. We do not think of there being types of CISOs. The question we tend to ask instead is, "Where do you report?" Who a CISO reports to is a general indicator of the types of duties he or she performs. For example, it's likely that a CISO who reports to legal and compliance won't have security operations responsibilities, but one who reports to the manager of network operations and infrastructure probably will.
The variety of CISO job descriptions are further evidence of the diverse skill sets that organizations currently require from people in that role. A few factors that influence where the CISO reports include enterprise strategy, organizational culture, the company's history with the CISO function, the business's security incident experiences, and compliance requirements.
I suggest that different organizations require different types of CISOs based on these considerations. Of course, circumstances change over time and may require a change in the CISO's reporting structure.
Three Types of CISO
There are three major types of CISOs. Most versions of the role will be a mix of more than one type, but these descriptions provide some insights into where the CISO should report.
1. The Technical Information Security Officer (TISO)
The TISO specializes in technical security issues, operations and monitoring, which includes managing firewalls, handling intrusion-detection and intrusion-prevention systems, and so on. The TISO also coordinates and manages technical policies and control and assessment activities. This person should report to the CIO, CTO or IT management.
2. The Business Information Security Officer (BISO)
The BISO specializes in information security issues related to the business, such as how to securely implement customer-facing technologies and how to appropriately protect customer information. A major purpose of the BISO is to ensure that the business unit or division understands that information security is a business requirement like any other. This person also assists in the implementation and translation of enterprise security requirements, policies and procedures.
Additionally, the BISO should perform business security assessments or, at a minimum, coordinate between identified business-related security issues. Ideally, there should be a BISO embedded in every major business unit or division, and he or she should report to business management.
3. The Strategic Information Security Officer (SISO)
The SISO specializes in translating high-level business requirements into enterprise security initiatives and programs that must be implemented to achieve the organization's mission, goals and objectives. The SISO must coordinate with the operations officer and the BISO to ensure appropriate progress. The SISO should also be responsible for metrics, dashboards and executive reports, and for presenting assessments of the state of security in the enterprise to the board of directors. The SISO should report to an executive management function such as the chief risk officer, chief operating officer or chief legal counsel, or to an executive management committee.
When considering who the SISO will report to, think about whether superior executives will be able to appropriately support the SISO. For example, would the CEO be able to spend as much time with the SISO as is needed? The SISO should be also able to represent the corporation externally, that is, with third parties or in cyber insurance discussions.
You may infer that you need more than one type of CISO for your organization--and you may be right. In fact, for some organizations, one CISO is not enough. Seven percent of organizations responding to the PricewaterhouseCoopers's 2011 global information security survey reported having more than one CISO. So, to whom should the CISO report? The short answer is: to the most effective manager, depending on the type of CISO.
John Kirkwood is chief information security and strategy officer for Security Innovation. He is also the chief strategist for Smbiosys. Previously, John has been a global chief information security officer for Royal Ahold and American Express.
This story, "Who should the CISO report to?" was originally published by CSO.