Subscribe / Unsubscribe Enewsletters | Login | Register

Pencil Banner

Eight reasons the CISO should report to the CEO and not the CIO

CIO Staff and CSO Staff | Jan. 9, 2017
Should the CISO report to the Chief Executive? A look at why security executives reporting to the CIO function might not be the right structure

lock istock henrik5000 2

Should the Chief Information Security Officer report to the CEO or the CIO? Technology research and analyst organisation IDC has predicted that as the cyber security threat increases, 75% of Chief Security Officers and CISOs will be reporting directly to the CEO by 2018. 

The situation at the moment is one of CISOs reporting to the CIO, however. Studies by both Forrester and PwC showed around a quarter of CISOs report to the CEO with half reporting to the CIO. Perhaps the trend predicted by IDC is yet to take off, however, with new CISO at Standard Chartered, Cheri McGuire, hired in May 2016 to report to the global bank's Group Chief Information Officer.

Here we look at eight reasons the CSO or CISO should report directly to the CEO and not the CIO:

1. Security is an issure for the entire company, not just the IT department. As a CISO advisor said, "A CISO's job is not to protect IT - a CISO's job is to protect the business."

2. Organisations where the CISOs report to CIOs have 14% more downtime due to security incididents, according to a study by PwC.

3. Organisations where the CISO reports to the CIO have financial losses that are 46% higher, according to the same PwC research.

4. If security concerns threatens to stall an IT project, the CIO might overrule it.

5. The CIO might be reluctant to approve security projects that hinder IT productivity.

6. If a security project costs money, the CIO might choose to spend it on IT instead. Todd Fitzgerald, CISO at Grant Thornton, said that when CISOs report to the CIO, money becomes part of the CIO's pot. "When other projects need more funding or resources to get things done, the money is pulled from security," Fitzgerald said.

7. Reporting outside of the CIO puts the CISO and CIO on a more equal footing with each other, and actually can give security and IT issues more visibility in that way, according to Grant Thornton CISO Fitzgerald.

8. Some regulators are beginning to mandate CISOs report to the CEO - and many more may follow. In Israel, for example, there are laws dictating that CISOs report directly to the CEO.

Source: CIO UK 


Sign up for CIO Asia eNewsletters.