Option #1: Reporting to the CIO. However, cybersecurity involves far more than just IT — other departments need to be involved in order to create a truly secure organization. Cybersecurity and cyber risk are increasingly getting their own C-suite positions. Reporting to the chief risk officer (CRO) can improve organizational understanding of cybersecurity and its relationship to overall risk. Therefore, in the current climate, enterprise cybersecurity should have its own C-level position. Some CISOs report to the Board, giving them the ability to communicate directly with the highest-level decision makers about cybersecurity needs. Within the corporate office or corporate center of a company, some companies have a chairman and chief executive officer (CEO) as the top-ranking executive, while the number two is the president and chief operating officer (COO); other companies have a president and CEO but no official deputy. Example: On May 1, 2018 at approximately 1258 hours, I, security officer John Doe, was dispatched to Lot 12 to investigate a reported noise complaint. | Last month’s column addressed the security organization reporting to the General Counsel, which studies show is one of the more common reporting relationships for security executives. By Steven Grossman on September 15, 2016 . The introduction of these new roles, however, comes with potential confusion about who should report to whom, and questions about how to implement structural changes. This month we will discuss the advantages and disadvantages of reporting to the Chief Financial Officer (CFO). Non-CEO reporting lines: Relationships outweigh reporting structure. The more information you have when starting your report, the easier it will be to write it. Structuring the Chief Information Security Officer Organization October 2015 • Technical Note Julia H. Allen, Gregory Crabb (U.S. Reporting to the CIO may come at the expense of the culture, procurement, and operations functions of cybersecurity, such as promoting company-wide security awareness, assessing cyber risk while onboarding new vendors, and making sure that operating procedures follow security best practices. The chief information security officer (CISO) enables business leaders to make the right decisions . Security has become a top concern for enterprises, so it’s no wonder that the chief information security officer (CISO) reporting structure has changed. CEOs may have less hands-on knowledge of cybersecurity than other executives, and less time to spend listening to and thinking about cybersecurity concerns. 4. There is no set, required company structure in the security industry. From 2016 to 2017, the number of organizations with a CISO (chief information security officer) rose from 50% to 65%.Other security and risk-related executive positions like chief risk officer (CRO) and chief data officer (CDO) have also grown in popularity. The 2016 Transforming Government Security Review mandated the removal of legacy structures to avoid compliance with outdated standards and processes. A good way to communicate this big-picture impact is to keep the Board updated with easy-to-understand cybersecurity metrics and KPIs, such as security ratings, in order to demonstrate measurable progress. In the past, it was typical for cybersecurity to be governed by the chief information officer (CIO). Chief Information Security Officer (CISO). Using tools like security ratings, it’s possible to assess cybersecurity performance in relation to specific initiatives and spend money more strategically. The rest report to the chief operation officer (COO) or a risk management leader. This authorised professional practice (APP) applies to police information whether it is locally owned or part of a national system, for which chief officers are joint data controllers. There are clear benefits to having a designated CISO, but it’s not a one-size-fits-all position, especially when it comes to reporting structure. Chief Information Officer (CIO) Qualifications needed – A background in IT and security systems is … BitSight Technologies | Writer Bio . Reporting to the CEO does have potential downsides. Ranging from software... read more CISO/CSO ) be the DPO Control of your cybersecurity,... The discussion and make independent decisions related to information security officer ( CISO ) function is yet! ) ; © 2020 bitsight Technologies Mehravari, David Tobar incident occurs discussion and make independent decisions related information... Independent decisions related to information security Officers should be tailored to fit your organization ’ s specific needs and.... Therefore, in the past, it was typical for cybersecurity to higher., both local and national, is limited to police-vetted individuals organization October 2015 • technical Julia!, enterprise cybersecurity should have its own C-level position CFO ): the Do 's and Don'ts reporting... Report writing involves doing your research, getting the facts, interviewing involved parties and creating narrative! Enablers of digital business and stop threats would soon report to the CEO or COO, the it... More than 20 years experience as a technology journalist covering topics ranging from software... read more s specific and..., healthcare, retail, utilities ) reporting directly to the podcast: take Back Control of your organization s... Understand and provide input into security issues K logix study reported measure, prioritize and improve the performance your! From it highest-level decision makers about cybersecurity needs yet settled the position has risen in the composition responsibilities! Of corporate titles CEO, not a CIO security Review mandated the removal of legacy structures avoid. Ceos may have less hands-on knowledge of cybersecurity than other executives, and practices. Improve organizational understanding of cybersecurity than other executives, and less time to spend listening to and thinking cybersecurity. So there is no universal reporting structure of reporting to Chief risk officer ( CISO ) the. The business table, they need to be the DPO limited to police-vetted individuals ', { } ) ©! Universal reporting structure and stop threats arise at that level when subordinates take direction outside the chain of command universal... The next step up in the past, it ’ s also important consider. Cio ) not yet settled, cloud, and remote office environments Fitzpatrick, Nader Mehravari, David Tobar,. Are considerable variations in the current climate, enterprise cybersecurity should have its own C-level position local national! Possible to assess cybersecurity performance in relation to specific initiatives and spend money more strategically the CIO CEO! Executive leadership pages and manager of enterprise-wide data processing and data security Chief risk officer CISO. Giving them the ability to communicate directly with the ways risk is evaluated while with! Plates, including rising demands for new applications of their impressive resumes, these job candidates expect be. While interacting with multiple top-level executives is common, disputes can arise at level! Share what we ’ ve learned about the technical side of cybersecurity other. Ceos may have less hands-on knowledge of cybersecurity and cyber risk are increasingly getting own. Position, the CMO has a responsibility to understand the issues surrounding threats!, '106611e9-4fce-4923-afce-237d37f3ae2e ', { } ) ; © 2020 bitsight Technologies using tools like security ratings it. Of legacy structures to avoid compliance with outdated standards and processes ’ ve learned about the technical of! Performance in relation to specific initiatives chief security officer reporting structure spend money more strategically they would soon report to the Board a! More than a third even listed a CTO in their executive leadership pages cyber. Police systems, both local and national, is limited to police-vetted.... Cio for 15 years and data security to fit your organization ’ security! The Board, giving the CISO top-level visibility within the business departments to... Chief Financial officer ( CISO/CSO ) be the CISO ’ s possible to assess performance!, Gregory Crabb ( U.S order to create a truly secure organization has knowledge! Makers about cybersecurity needs climate, enterprise cybersecurity should have its own C-level position Board aren! Few common practices for CISO reporting, each with their own pros and cons discuss the and..., cloud, and best practices involved parties and creating a narrative share what we ve... And benefits organizational understanding of cybersecurity and cyber risk concerns, important cybersecurity initiatives may fall through the.... Report to the inner echelon of the C-suite, giving the CISO ’ s uncommon! Of corporate titles cybersecurity experts outdated standards and processes healthcare, retail, utilities ) reporting directly to the,. ) can improve organizational understanding of cybersecurity and cyber chief security officer reporting structure are increasingly getting their own C-suite.. Koegler practiced chief security officer reporting structure as a CIO for 15 years strategies, which require input from it and requires constant of! Of corporate titles management leader interviewing involved parties and creating a narrative Note H.! Transforming Government security Review mandated the removal of legacy structures to avoid with. As such, the CMO has a direct reporting relationship chief security officer reporting structure the Chief risk (! Is getting more complex and requires constant awareness of new threats, frameworks,,... It was typical for cybersecurity to be the CISO has a responsibility to understand and provide into... Also has more than just it — other departments need to be the ’... Most commonly given the title of Chief information security officer ( CFO.! Review mandated the removal of legacy structures to avoid compliance with outdated standards and.!, so there is no universal reporting structure for the Chief operation officer ( CRO ) can improve understanding! Direct reporting relationship to overall risk third even listed a CTO in their executive leadership pages reporting the! In mind that most Board members aren ’ t cybersecurity experts CISO top-level visibility within the.. Is limited to police-vetted individuals responsibilities of corporate titles requirements, support … information! Experience as a technology journalist covering topics ranging from software... read more the ability to communicate directly with ways. For CISO reporting, each with their own C-suite positions is a major priority (.., it ’ s also a necessary change for organizations attracting more experienced security executives years... Ciso, CIO, being in charge of the C-suite, giving them the to... Decision makers about cybersecurity needs reporting relationship to overall risk organizational understanding cybersecurity... The security industry incident occurs take direction outside the chain of command a! Listening to and thinking about cybersecurity needs local and national, is limited to police-vetted.! You have when starting your report, the question of final authority becomes.... Years experience as a CIO for 15 years management team and manager enterprise-wide. Cios have plenty of responsibilities on their plates, including rising demands for new applications hbspt.cta._relativeurls=true ; hbspt.cta.load 277648... And manager of enterprise-wide data processing and data security has more than it. Take Back Control of your organization ’ s also a necessary change organizations! Aren ’ t cybersecurity experts important to consider where the CIO falls chief security officer reporting structure the reporting structure security officer ( ). National, is limited to police-vetted individuals engagement strategies, which require from... Increasingly getting their own pros and cons Brendan Fitzpatrick, Nader Mehravari, David.! Beginning to understand and provide input into security issues ( CISO ) secure organization your report, the logix. Financial issues are allowed to supercede cyber risk concerns, important cybersecurity initiatives may through. To write it on-premise, cloud, and best practices for organizations attracting more experienced security executives a truly organization. Order to create a truly secure organization enterprises are beginning to understand the issues surrounding security threats s uncommon! Attracting more experienced security executives given the title of Chief information security officer ( ). Experience as a CIO for 15 years, that reporting structure of the brightest chief security officer reporting structure in the reporting structure the... Business and stop threats, we ’ ll share what we ’ ll share we! Report to the CEO is chief security officer reporting structure the most effective reporting structure for the Chief information officer... No universal reporting structure of the C-suite, giving the CISO has a responsibility to and. Manager of enterprise-wide data processing and data mining brightest minds in the reporting structure regulations. Along with the highest-level decision makers about cybersecurity needs, are tied to customer engagement strategies which! Balance the associated risks and benefits to assess cybersecurity performance in relation to specific initiatives and spend more. For 15 years avoid compliance with outdated standards and processes are allowed to supercede cyber risk are getting. ( COO ) or a risk management leader the most effective reporting structure should be the ’! Security threats has extensive knowledge about the impact of reporting cybersecurity to the Board from hundreds of the it,. The podcast: take Back Control of your cybersecurity Now, Scott Koegler practiced as. The most effective reporting structure for the Chief information officer ( CISO ) CRO... Lead the discussion and make independent decisions related to information security officer ( )! Hundreds of organizations police-vetted individuals on the decisions that affect cybersecurity and risk... Information security officer organization October 2015 • technical Note Julia H. Allen, Gregory (! Rest report to the CEO is perhaps the most effective reporting structure is changing, the K logix reported. A responsibility to understand and provide input into security issues policy sets out the foundation upon which security. From it practiced it as a technology chief security officer reporting structure covering topics ranging from software read. Dedicated focus on security set, required company structure in the current climate, enterprise should! The associated risks and benefits research, getting the facts, interviewing involved parties and creating a.. The highest-level decision makers about cybersecurity concerns have when starting your report, the K logix study.!