Why the CISO should report direct to the CEO
As cybersecurity risk management has emerged as a top priority for companies across many industries, the role of the Chief Information Security Officer (CISO) has become an integral part of the enterprise.
Cybersecurity Ventures predicts that 100 percent of large corporations (Fortune 500, Global 2000) globally will have a CISO or equivalent position by 2021.
Why? Businesses everywhere are facing daunting cybersecurity challenges, with stories of big-named brands hit with colossal data breaches becoming regular features in mainstream news outlets. The CISO’s addition to the boardroom has come as a response to these common headlines, with the role now critical to ensuring high security and risk management across the business.
Yet despite the growing importance of the role, the corporate politics surrounding it is ongoing. To whom the CISO should report to and what influence they should have, remains a continued point of contest.
Research has shown that CISOs are lacking the decision-making and purchasing power they really need to make a difference, with many being confronted with internal obstacles, struggling to get their voices heard.
Only half (52 percent) of CISOs feel the executive teams value the security team from a revenue and brand protection standpoint. Worryingly, almost one-in-five (18 percent) believe their board members are indifferent to the security team or even see them as an inconvenience.
Since the position was first created, the majority of CISOs tend to report to the chief information officer (CIO). And according to a recent report, 62 percent of surveyed financial institution CISOs still follow this reporting structure.
According to some, however, the CISO – CIO reporting structure represents a potential governance crisis, with the defensive mindset of the CISO often conflicting with the uptime, availability, and content-driven goals of CIOs. Another concern relating to this structure is that cybersecurity measures may come second to revenue-generating activities.
As such, many organizations are beginning to migrate away from the traditional CIO-CISO reporting structure in order to eliminate the tensions between security and operations that the traditional structure creates. By doing this, it also removes information security from the IT silo, allowing other c-suite executives across the organization to see and influence information security decisions.
In many organizations, the reporting of the CISO is being elevated to CEO level in order to give a business the check and balance, and integrity it truly needs. Unfortunately, it typically takes a data breach or serious security occurrence before the CISO presents to the CEO and board of directors.
In one study, 60 percent of respondents reported having a direct channel to the CEO in the event of a serious security incident. Yet, only 19 percent of respondents said they regularly report all data breaches to the CEO and board of directions.
Reporting to the CEO rather than the CISO comes with many business benefits. It allows for a frank, candid, and engaged discussion without the conflicts regarding risks, resources, prioritizations that often arises with other stakeholders such as the CIO.
This direct reporting would also allow CISO’s to better address the education gap between CEOs and the dangers of cybercrime.
According to a report by the UK Government’s Cyber Governance Health Check, just 16 percent of boards in UK’s FTSE 350 companies have a “comprehensive understanding of the impact of loss or disruption associated with cyber threats.” This is even more concerning given that 96 percent of these boards have a cybersecurity strategy in place.
By having more direct conversations with the CEO, security officers can offer a better understanding of the cruciality of cybersecurity for the business.
So, should CISOs report directly to the CEO?
Ultimately in this hypercompetitive marketplace, businesses simply cannot afford to undervalue their CISO. Whoever the CISO reports to – be it the CIO, CEO, or CTO – what really matters is having engaged, influential conversations around cyber risks that lead to action taken.