Where Should the Chief Information Security Officer Reside in Your Org Chart?

By Casey Lang • September 15, 2015

The debate over the placement of the Chief Information Security Officer on the org chart continues, and the information security community seems to agree on the premise that separation of duties should ensure an information security function can operate autonomously, with a separate mission than an IT function. The opposing argument is also made since successful information security programs exist today within the ranks of IT. However, there is little conclusion about common factors that contribute to the success of an information security program as it relates to the organizational location of the CISO. So what might these success factors be?

1: Management Direction and Support

A common concept is a need for management buy-in to an information security program. More than just buying in, the executive team should be thoroughly involved as a stakeholder and a governance participant for an information security program. A CISO must have the autonomy, visibility, and decision-making authority to set strategy, drive change and have influence throughout the business. Reporting through the IT function without these can constrain the abilities of an information security function by forcing alignment with a mission that is narrow and contradictory to that of an information security program, limiting the exposure necessary to articulate information security initiatives upward.

To be fully effective, a CISO must have the means to garner executive support. To accomplish this, a CISO should be in a position to directly engage executive management, by appropriate reporting structure, or through an executive council or committee.

2: Delivering Security Awareness Upward

Beyond end-user awareness initiatives, the CISO should have responsibility for educating the executive team on information security matters that are specifically relevant to executives. This highlights the need for the CISO to have access to and visibility at the highest management levels. Delivery of valuable and informative content via metrics, reports, dashboards and executive presentations should articulate and educate on IT and information security risk, to foster sound business decisions, and gain support for information security initiatives. Ultimately, an upward approach to information security awareness should prevent information security from becoming an afterthought of the executive team by providing relevant, actionable and measurable information on a consistent basis.

Reporting through an IT function has the potential to break or limit these communication channels, which can be compounded by conflict of interest between a CISO and IT management, especially when situations arise where information reported by a CISO has potential to highlight deficiencies in IT processes and capabilities.

3: Accountability

The driving force behind information security needs to first come from educated and thoughtful decisions of an executive team that understands the executives themselves are accountable for information security.

As security incidents become increasingly visible to the public, there is a greater tendency for incidents to shift toward crisis management processes for reputational damage control. An unfortunate aspect of a reactionary industry like information security is that it takes an impactful event, like a breach, to drive meaningful change. The reality is that publicized information security events expose the disconnect that often exists between the executive office and an organizationally buried CISO.

Placement, or misplacement of the CISO role, under an IT function, as a continued example, can come from one of two things, intelligent decision-making based on careful assessment, or negligent disregard and a lack of accountability at the executive level for a function that seems vitally more important with every public breach. The CISO role may make sense to report through IT operations in some cases, where an IT function leader is well versed in information security and can provide enough executive access, autonomy, and authority to a CISO to avoid conflicts of interest. However, the executive team must be cognizant of the challenges and risks associated with remaining disconnected from an information security program for which they are accountable. The success of the CISO deserves the attention and support of the highest organizational levels.

Conclusion

Some may contend that one way is better than another for the organizational placement of the CISO, and in many ways, some concepts can be better than others. There is no definitive right answer, but there are factors that can contribute to a CISO’s success and effectiveness. As breaches continue to make headlines, executives need to consider how their CISO best fits into their business construct, so the role can not only be an effective leader of an information security program but a resource that provides necessary interfacing and awareness to the C-Suite.

CyberSheath Blog

2022 in Review: The CyberSheath Story Expands

This year marked a deluge of messaging about the Cybersecurity Maturity Model Certification (CMMC) and federal contractors were rightfully confused. With our keystone event, CMMC CON, we aimed to set the record straight and offer the best guidance for those in the Defense Industrial Base (DIB).   CMMC CON 2022…

CyberSheath Endorsed by Frost & Sullivan in First Independent Analyst Commentary on CMMC

Independent analyst firms have weighed in with commentary on nearly every discipline of information technology. Security has garnered a large portion of that IT discussion, yet until recently, Cybersecurity Maturity Model Certification (CMMC) compliance has been left out.   Frost & Sullivan changed that by selecting CyberSheath as its preferred…

Be Prepared: CMMC 2.0 Is Coming

Cybersecurity is increasingly important to safeguard your company, your customers, and your partners. We're moving into a global cyber era and we've got to get better at protecting ourselves.   Our adversaries are capitalizing on the lack of security controls in place in the defense industrial base (DIB) and we…

Our Trusted Partners

Tenable Microsoft Siemplify KnowBe4 ConnectWise DUO