The Bottom Line: The perfect reporting model does not exist because each model entails compromises and trade-offs. But one thing is becoming increasingly clear: if your CISO still reports to the CIO, you must re-assess now the effectiveness of such model to ensure the necessary leadership, authority and independence are in place.
In the first half of 2022 our Pulse survey (of 602 executives in global 2000 enterprises) showed that cybersecurity is the number one challenge that could adversely impact the strategic goals of an organization, before inflation, supply chain disruption or changing customer expectations. Our latest cybersecurity study (150 cybersecurity executives in global 2000) has reaffirmed that the role of the CISO is evolving from a technical expert to a business leader contributing to the strategic direction of an organization.
- Almost one of every two (48%) cybersecurity executives believe that the CISO should be reporting directly to the CEO and this does not come as a surprise. Some regulators are even beginning to mandate CISOs to report to the CEO (for example, Israel has laws dictating that CISOs report directly to the CEO). The responsibility of the CISO has recently expanded way beyond the perimeter of the organization, as CISOs are now being tasked to manage information risks across the entire ecosystem. An interesting thing to highlight is that some respondents reported that the CISO should actually have a dotted line to both the CIO and CRO.
- Only thirteen percent (13%) of respondents think that the CISO should still report directly to the CIO. A few years back, the reporting model was kind of unquestionable as security was just seen as a natural extension of IT operations. But given the growing mandate of the CISO way beyond information security and into areas such as supply chain risk, operational resiliency, product design, artificial intelligence architecture, the CISO strategy can’t be anymore predominantly driven by the CIO agenda. Also decoupling the CISO from the wider IT organization can mitigate conflicts of interest and ensure a more adequate cyber protection.
- A notable twenty-one percent (21%) of cybersecurity executives believe that the CRO can be a suitable Line Manager for the CISO. The CRO is responsible for the macro view across the overall risk landscape. Given the increasing number of cyber-related risks in the CRO risk register that fall under the responsibility of the CISO (which include many compliance and regulatory mandates), it actually makes sense to have the CISO directly reporting to the CRO. Both roles can join forces to continuously assess and respond to the changing risk environment and make the right decisions at the right time for the organization.
Deciding where to position the CISO function is largely a factor of the size, complexity and risk profile of each organization. It is however becoming quite evident that the CISO should ideally report directly to the CEO and maintain an independent role, separate from its historical IT parent organization under the leadership of the CIO. But more and more cybersecurity executives are suggesting that the CISO should report directly to the CRO given that information security programs are implemented in response to cyber and compliance risks, which ultimately form part of the broader risk universe under the mandate of the CRO.
Explore the HFS Pulse Dashboard
Take a look at the breadth of data in our Pulse Dashboard, which showcases data about current and future demand trends for technology and business services and related emerging technologies. See more here.
