The roles of chief information security officer (CISO) and chief information officer (CIO) often run in parallel — so much so that until recently, the CISO would customarily report directly to the CIO.
But recent changes have shifted the CISO reporting structure. Now, CISOs have a range of other reporting pathways, often customized to a particular business or industry.
This article looks at the different reporting structures commonly employed by today’s top companies and how these structures may change the relationship between CISOs and senior leadership.
Historically, the chief information security officer has served an IT function concerned primarily with applications and technical infrastructure. Therefore, it made sense for the CISO to report directly to the CIO.
Today, however, the CISO undertakes a broader range of professional responsibilities, which can include and is not limited to:
This shift means that it no longer makes sense to think of a CISO primarily through the lens of information technology. Instead, the CISO’s role is closer to that of an internal auditor, which means that it makes more sense to have these professionals report to other members of each organization’s leadership team.
According to a Cowen Partners survey, 61% of today’s CISOs report to someone other than the company’s CIO. Instead, CISOs report to people in a range of other positions, including chief technical officers (CTOs), chief risk officers (CROs), chief operating officers (COOs), general counsel, or even directly to the CEO.
This variability means that there is no single “correct” CISO reporting structure. Companies may need to adopt a reporting structure that reflects their unique needs.
For example, in some cases, there may be a greater need to emphasize security, while other organizations might need an emphasis on risks and auditing. Some CISOs may occupy a broader, generalized role, which means that it may make sense to have them work more closely with the company CEO.
What should companies consider when developing a CISO reporting structure? This decision is based on several different factors, most of which reflect the way that the CISO role integrates into the company culture as a whole.
Here are just some of the considerations to keep in mind when shaping your reporting structure:
Not all industries have the same needs. Your CISO reporting structure should therefore reflect your company’s uniqueness.
For instance, businesses in industries that face a lot of regulation (such as healthcare) might consider orienting the role toward evaluating risk and auditing. Cloud, SaaS, and tech companies might consider orienting the role around engineering leadership, including reporting to the CTO or COO.
“Who do you want to oversee the CISO?” may be a more important question. The main goal, of course, is to ensure that the CISO is guided by a consistent, trustworthy set of functional leaders.
The danger, of course, is that companies relegate the CISO to a role beneath the CIO, only to leave the CISO pulled in different directions based on evolving organizational needs. Consistency is key, which means that the person you choose for reporting must have the bandwidth to work with the CISO as needed.
When a CISO reports to the CIO, they’ll have minimal influence over the company’s broader decisions. Conversely, when the CISO reports to the CEO, the office will exert a surprising amount of corporate influence.
Every organization needs to decide just how much it wants to rely on input from the CISO when making strategic decisions. In tech companies, for example, there may be an increased need for the CISO to shape major policies.
Some of these decisions may be based on the soft skills that a CISO has or that you desire in future hires. The best CISOs don’t just have a lot of technical ability — they also have the ability to communicate well and offer unbiased, clear evaluation and guidance.
Additionally, a CISO should have the leadership abilities to engage others and have the difficult conversations that help move the company forward.
For organizations accustomed to having the CISO report to the CIO, a transition might be necessary. But how can you smoothly transition to a new reporting structure?
First, it’s important to recognize that there will still be obstacles. Many employees may continue to see the CISO only through the lens of IT. This reality doesn’t have to become a barrier, but it may be an issue to navigate moving forward.
The presence of the obstacle mentioned above might prompt you to communicate the need for this change and to educate your teams on the varied role represented by the CISO.
This communication also means making sure that all personnel are apprised of changes to the reporting structure so that every affected party understands your company’s organizational chart.
Mentoring relationships can also help guide the transition. CEOs, for example, might seek input from other industry leaders to understand the company’s changing needs.
Internally, companies can foster mentoring relationships between seasoned team members and new hires to ensure that everyone assimilates fully into the company culture.
Throughout any transition, it’s important to remain focused on your company’s core values and mission. Your reporting structure should therefore align with your company culture and help your organization reach its fullest potential.
Success depends on the right measurements. As you adapt your reporting structure, you’ll want to ensure that you are still meeting key benchmarks across your organization and maintaining your focus on financial goals and strategic initiatives.
The ability to adapt to changing circumstances and company needs sets thriving companies apart. Changing the reporting structure for your CISO may require a transition, but it can vastly improve the efficiency of your entire organization.
Our experienced technology recruiters have experience working with private, public, pre-IPO, and non-profit organizations. Clients are typically $50 million in revenue to Fortune 1000’s or have assets between $500 million to $15 billion. Successful placements span the entire C-Suite – CEO, Chief Information Officer, Chief Security Officer, Chief Technology Officer, and include vice president, general counsel, and other director-level leadership roles.
Clients span every industry, are typically $50 million plus in revenue or between $1B and $15B in assets and successful placements include Chief Information Officer CIO, Chief Technology Officer CTO SaaS, Chief Information Security Officer CISO, VP Cybersecurity, VP Information Technology, VP Product, and include and Director level leadership roles.
Learn how our technology recruiters deliver top talent, no matter the need, with our industry-leading research and resources. Discover the strategy that made Cowen Partners a leader among the nation’s top technology executive search firms in New York, Chicago, Seattle, Atlanta, Dallas, Los Angeles, and beyond.