Since the role of the Chief Information Security Officer (CISO) and how he or she reports has a major impact on security and risk, I think it’s interesting to look at how different organizations have structured the position. With that said, there is very little consistency other than a correlation with the industry vertical’s understanding of IT risk.
Within financial services organizations, the CISO (occasionally the top position is given to a Chief Security Officer (CSO) that owns both physical and IT security) often reports to the Chief Information Officer (CIO). However, at many large financial services organizations, the CISO or CSO reports outside of IT, often to the Chief Risk Officer or other C-level executive.
The CISO position within healthcare has been treated quite differently. Because of HIPAA, many organizations didn’t want to promote the security manager to the CISO position, so they gave their CIO the CISO title as well. There is often a Director or Manager of Information Security a few rungs down reporting to a lower-level manager.
Information security within retail is also quite different. With the focus on PCI, the CISO or director of information security is often tied to the PCI or compliance group. Within large retailers that have loss prevention or risk departments, the CISO sometimes reports through them.
Because of their historic focus on physical security, energy companies often have a CSO or CISO that owns both the organization’s IT and physical security. In some cases I’ve seen this position report to facilities, but usually it reports into operations, and occasionally it reports to the CIO.
The military often leads industry in its adoption of information security practices. One interesting change is that security teams have taken significant ownership of IT leadership. In the case of US Cyber Command, a separate group is being set up outside of IT reporting directly to the highest levels of government. I’m not sure how this change will find its way to the private sector, but it is a very interesting precedent that will likely have an impact on information security and the CISO.
In general, the more risk-sensitive the industry, the higher the up CISOs will report, until they report entirely outside of IT. In many cases, regardless of where they fit in the reporting structure, the CISO will report regularly to the board about the state of initiatives, compliance, audits or assessments. With this type of visibility, I think it’s clear that the CISO will continue to rise in prominence, and the information security reporting structure will continue to evolve. However, it may take a compliance-related mandate within the lagging industry verticals for this to happen quickly.
Necessary cookies help make a website usable by enabling basic functions like page navigation and access to secure areas of the website. The website cannot function properly without these cookies.
YouTube session cookie.
Marketing cookies are used to track visitors across websites. The intention is to display ads that are relevant and engaging for the individual user and thereby more valuable for publishers and third party advertisers.
Analytics cookies help website owners to understand how visitors interact with websites by collecting and reporting information anonymously.
Preference cookies enable a website to remember information that changes the way the website behaves or looks, like your preferred language or the region that you are in.
Unclassified cookies are cookies that we are in the process of classifying, together with the providers of individual cookies.
Cookies are small text files that can be used by websites to make a user's experience more efficient. The law states that we can store cookies on your device if they are strictly necessary for the operation of this site. For all other types of cookies we need your permission. This site uses different types of cookies. Some cookies are placed by third party services that appear on our pages.
Discover why security operations teams choose NetSPI.