Where the CISO Reports

Since the role of the Chief Information Security Officer (CISO) and how he or she reports has a major impact on security and risk, I think it’s interesting to look at how different organizations have structured the position. With that said, there is very little consistency other than a correlation with the industry vertical’s understanding of IT risk.

Within financial services organizations, the CISO (occasionally the top position is given to a Chief Security Officer (CSO) that owns both physical and IT security) often reports to the Chief Information Officer (CIO). However, at many large financial services organizations, the CISO or CSO reports outside of IT, often to the Chief Risk Officer or other C-level executive.

The CISO position within healthcare has been treated quite differently. Because of HIPAA, many organizations didn’t want to promote the security manager to the CISO position, so they gave their CIO the CISO title as well. There is often a Director or Manager of Information Security a few rungs down reporting to a lower-level manager.

Information security within retail is also quite different. With the focus on PCI, the CISO or director of information security is often tied to the PCI or compliance group. Within large retailers that have loss prevention or risk departments, the CISO sometimes reports through them.

Because of their historic focus on physical security, energy companies often have a CSO or CISO that owns both the organization’s IT and physical security. In some cases I’ve seen this position report to facilities, but usually it reports into operations, and occasionally it reports to the CIO.

The military often leads industry in its adoption of information security practices. One interesting change is that security teams have taken significant ownership of IT leadership. In the case of US Cyber Command, a separate group is being set up outside of IT reporting directly to the highest levels of government. I’m not sure how this change will find its way to the private sector, but it is a very interesting precedent that will likely have an impact on information security and the CISO.

In general, the more risk-sensitive the industry, the higher the up CISOs will report, until they report entirely outside of IT. In many cases, regardless of where they fit in the reporting structure, the CISO will report regularly to the board about the state of initiatives, compliance, audits or assessments. With this type of visibility, I think it’s clear that the CISO will continue to rise in prominence, and the information security reporting structure will continue to evolve. However, it may take a compliance-related mandate within the lagging industry verticals for this to happen quickly.

Discover why security operations teams choose NetSPI.