C-Suite Shuffle: The CISO’s Evolving Role and Reporting Structure

In 1994, Steve Katz became the world’s first chief information security officer (CISO) after Citicorp endured a string of cyberbreaches at the hands of Russian hackers. Katz is an undisputed legend in the CISO profession that he’s credited with launching. His origin story remains relevant today for CISOs adapting to new reporting structures and relationships with their C-suite colleagues.

Cyberattacks continue to drive CISO hiring and information security investments today, more than a quarter-century after the position first emerged. How the role has evolved since then sheds light on the current reporting structure trend of CISOs reporting directly to the CEO or other C-suite officer, with a dotted-line relationship to the CIO – but at the onset of the CISO role, this wasn’t the reporting structure.

A quick CISO history lesson

The CISOs who immediately followed in Katz’s footsteps typically had come up in the IT function. They had networking and infrastructure experience, maybe some IT audit expertise, and even a little bit of risk management in their backgrounds. The role was technical in nature and attracted rising leaders who may have aspired to become a CIO. (Prior to the CISO position, the role was often called a security manager.) During the position’s first decade of existence, most CISOs reported directly to their CIO and CISOs did not have board-reporting responsibilities.

The role began evolving in the mid-2000s as cyberattacks intensified and industry regulators and standards-setters began to respond to those incidents with new rules and guidelines. The continual adoption of more sophisticated systems and technologies, accompanied by data-driven approaches, continues to shape the CISO role to this day.

Some of these shifts raised questions about competing interests between the CISO and the CIO. CIOs, then as now, were charged with propelling the business forward by transforming its inner workings from manual processes to automated processes via enabling technology – as quickly and cost-effectively as possible. That mandate and approach can conflict with the CISO’s mission to protect the organization from cybersecurity risks. New technology often introduces new risks and mitigating those takes time and costs money. CISOs were understandably conflicted about impeding the efforts of the person signing their checks. These issues started triggering more questions about whether the CISO position should be separated from the CIO and the IT function.

Later, regulations in the financial services industry – which has long served as something of a cybersecurity beacon for other sectors – raised additional questions about the CISO reporting structure. The Office of the Comptroller of the Currency (OCC), in its September 2014 Final Rule,  distinguished the risk management responsibilities among an organization’s first (business units), second (risk management) and third (internal audit) lines of defense, which fundamentally changed how banks organized their reporting structures, including CISOs, whose independence from the CIO was established by having the position report instead to the chief risk officer (CRO), chief audit executive, CFO or even the CEO.

New stakeholders and benefits to consider

State, federal and national information security and data privacy regulations have proliferated in the past few years, and many of these new rules require companies to have a CISO position. For example, the Bermuda Monetary Authority’s Insurance Sector Operational Cyber Risk Management Code of Conduct and the New York Department of Financial Services Cybersecurity Regulation call for organizations to have a CISO in place.

Recently, the U.S. federal government has issued several security memoranda and directives – among them President Joe Biden’s executive order to strengthen the nation’s cybersecurity – that underscore the need to have a CISO in place. In addition, the American Institute of Certified Public Accountants (AICPA) has a mock audit that is being proposed as an attachment to financial audits. It communicates the need for every public company to have a board member with security expertise.

 The increased regulatory data privacy and security landscape, along with the growing prevalence and pervasiveness of ransomware and malware attacks, further underscores the importance of the CISO role.

These developments have increased the modern-day CISO’s responsibilities while raising important questions about the role and where it sits in the organization:

• Should we spin out a separate data privacy function under the CISO, a chief privacy officer (CPO) or a data protection officer (DPO)?
• What is the real role of the CISO – governance, risk management (second line), operational security (first line)?
• How can an independent information security program maintain a collaborative partnership with the IT function given the crucial need to address security in development operations? Isn’t there an inherent conflict in the role?

Regardless of the state of their cybersecurity capability, most organizations need to carefully consider, or reconsider, the CISO’s reporting relationship(s). A recent survey on CISOs, conducted by Hitch Partners, found that the percentage of CISOs in private companies who report to the CEO (27%) has more than doubled since 2019 (11%). The survey also shows a shift away from CISOs reporting to the CIO in publicly traded companies.

Ultimately, there are pros and cons to having the CISO report to another C-suite executive – such as the CEO or CRO versus the CIO. The benefits of reporting to the CEO or other C-suite officer include:

• Aligning to the CISO’s corporate oversight objective;
• Insulating the cybersecurity budget from IT;
• Increasing the CISO’s authority and influence outside of IT, which empowers the CISO to interact regularly with business units, elevates the CISO’s proximity to the broader business and IT threat landscape, and improves overall communication about information security;
• Reducing the perception that cybersecurity is solely an IT problem;
• Ensuring the CISO team’s projects and workload are organized and managed independently from the IT department;
• Enhancing the group’s ability to manage shadow IT security risks; and
• Strengthening the CISO’s hand when the CIO accepts too much risk.

On the other hand, there also are benefits to consider in maintaining a CISO-CIO reporting structure, such as:

• Elevating the CISO’s influence and authority within IT;
• Reducing the workload of the CISO’s team to coordinate with IT versus if the team operated separately (i.e., as part of the CEO or CRO organization);
• Increasing the CISO’s proximity to the first-line infrastructure, development teams, changing technology environment, and daily threat landscape; and
• Emphasizing the importance of information security in first-line business functions, versus as an issue for risk management (second line) or internal audit (third line) to address.

CISOs and their C-suite colleagues have a lot to weigh when evaluating which reporting structure serves the best interest of the organization. Given the challenging mandates CISOs have to protect their increasingly data-driven organizations amid a rapidly growing threat landscape, those considerations are well worth contemplating.

This article was written by Nick Puetz and Farid Abdelkader.