The CISO Organization and its Place in the Corporate Hierarchy
The role of the CISO has changed dramatically over the past decade. It used to be a more technical role. Today, the Chief Information Security Officer has much more of a business role, working closely with other Chief Officer functions, including the Chief Information Officer, to translate business strategies into security strategies and secure IT infrastructures. The CISO is backed by an organization dealing with technical issues, program management, and security operations. There are different approaches to positioning the CISO in the enterprise hierarchy.
The CISO organization
The CISO organization is in charge of a broad range of tasks. On the one hand, it is responsible for security operations, threat prevention, and security engineering. On the other hand, program management in particular, requires intensive coordination with individual departments and, of course, the IT function, which is usually done through Information Security Executive Councils.
Highly diverse skills are required to handle the different tasks of the CISO organization. They range from business management functions such as personnel and provider management through crisis managers in emergency operations teams to hardcore security engineers in security engineering or security operations centers.
The CISO itself has to be:
- A security advisor to the enterprise, especially to the C-level, on business and technical aspects;
- A networker with close relations to the C-level and key providers;
- An experienced department manager who manages a heterogeneous team, making sure that reporting is adequate and reliable, operations are running smoothly, and programs and projects are aligned with enterprise strategy and projects in the different business units.
Where should the CISO be placed in the enterprise hierarchy?
The way enterprises are organized varies a lot depending on the industry, individual preferences, and size. However, as with most C-level roles, there is a common understanding of where to place certain roles in an organization. The CISO, despite being called Chief Officer, is not necessarily part of the C-suite. PAC’s research points to five options for positioning the CISO and their organization in the corporate hierarchy.
The CISO reports to the Chief Security Officer (CSO), who is in charge of overall enterprise security, including risk management, compliance, etc. For companies that have a CSO, this is the ideal option, allowing consistent security management and clear separation of budgets from other activities.
In many enterprises, CISO and CSO are one role. That means the CISO reports to the CEO, i.e., they have their own budget and, as part of the C-suite, easy access to their peers.
In many organizations, a Chief Risk Officer handles risk management, but the CISO reports to the CIO. While this strengthens the close link between IT and security, it also limits the ability to work with the C-level and business unit managers. The CISO usually has limited budgetary freedom.
In upper-midsize companies in particular, there is still a CIO reporting to the CFO, and based on this logic, the CISO also reports to the CFO. This is not ideal, as CFOs usually are not the best networkers and door openers to the C-suite for cybersecurity topics. In this constellation, budgetary freedom is also limited.
Option 5 also remains quite popular in upper-midsize companies. The CISO reports to the CIO, who in turn reports to the CFO. This makes the CISO a team manager – a position no real CISO should accept because security is not exclusively an IT function and needs to be closer to the CEO to be effective.