This article appeared on LinkedIn on 25th April 2017. Rather than publish a link to that post, I thought I’d repost the whole thing here.
This question caused a lot of head scratching in the past, and it continues to be a very contentious issue.
Historically, the Chief Information Security Officer (CISO) has typically reported to the CTO (Chief Technical Officer) or perhaps the CIO (Chief Information Officer) – if a company had either of those roles. The majority of companies viewed (and perhaps continue to view) Information Security as an IT or Technology issue, and those that are a bit more forward thinking ally Information Security to Information Management, hence these two traditional locations in the company hierarchy.
The other most common reporting lines which I’ve witnessed are reporting in to the CFO (Chief Finance Officer), or reporting in to the CRO (Chief Risk Officer). There are good reasons for both of these – one holds the purse strings (and security rarely costs less than not having any) and the other is concerned with risk (and security is all about risk mitigation).
What should we be doing?
I think it is very much accepted these days that the CISO should be a full board member, and this fact has to be welcomed. To my mind, there should be strong dotted line from the CTO, the CIO and the heads of HR and facilities in to the CISO. I know it’s a bit chicken and egg, particularly with the CIO role, but I think that all of these roles must be accountable to the CISO in terms of security.
The CISO should not be telling any of the other roles how to do their jobs, but they should be defining the security requirements which fall within the remit of each of these roles.
For example, the CISO shouldn’t be worried about whether Windows, MacOS or Linux is used as an Operating System, but they should be concerned with whether those machines are patched, have antivirus installed, are encrypted if necessary etc. They should let the CTO work out how to do all of that, on whatever OS is required, but the CTO must ensure that the CISO’s requirements for security are met.
As another example, the CISO shouldn’t concern themselves with HR issues such as appraisals, pay etc., but they do have an interest in ensuring that new starters are appropriately vetted, that access rights are revoked on termination of employment etc.
Please note that I’m not suggesting that HR, Facilities, IT etc. should report to the CISO: that just wouldn’t make sense. All I’m suggesting is that they have a level of accountability in to the CISO and that companies would do well to recognise that going forward. Who’s with me?
You may also be interested in this article from Dark Reading, about why CISOs have a different view of the primary objectives of cyber security compared to some other board members.