Where should the CISO sit in the leadership team?
Human Resources

Where should the CISO sit in the leadership team?

This is a contributed article by Greg Day, VP and CSO, EMEA, Palo Alto Networks


As cybersecurity risk management has ascended to become a top strategic priority, where the Chief Information Security Officer (CISO) sits within the leadership team has become a major question.

It is fair to say that there is no one size fits all answer. Organisations need to weigh up the advantages and disadvantages of several models and see which one suits them best.

Here's some of the current options:

Option #1: Reporting to the CIO

It has been traditional for the CISO to report to the chief information officer (CIO). Indeed, this tends to be the most common arrangement today. This line of reporting model has made a great deal of sense since the CIO is the member of the business leadership team who should best understand cybersecurity and the CISO role was created to secure IT systems and data.

However, this model may be losing its relevancy as CISOs begin to see how much they need to influence and exert control outside of the IT realm. For example, they must consider employee cyber awareness and education, policy development and even programmes of cultural change. Technological solutions cannot remedy the whole issue when the biggest vulnerabilities are the humans inside the organization.

CIOs also have competing priorities that may conflict with a CISO's cybersecurity agenda. For example, budget for application development, infrastructure and networking may take precedence over what the CISO may prioritize for their team and organization as a whole.

Option #2: Reporting to the CRO

A recent trend has been to see the CISO working under the chief risk officer (CRO), especially within financial services and larger corporates.

Organizations who rely on greater insight into enterprise risks are recognizing that their risk management team needs to cover cyber risks much more thoroughly and proactively. The CISO then is a natural member of the risk team.

A downside of this model is that the CRO doesn't tend to report to the CEO so this reporting structure can further distance CISOs from top executives and company strategy.

Option #3: Reporting to the CFO

Companies collect all kinds of functions under finance—IT, risk management, procurement, tax, audit. So, it is not unusual to place the CISO there as well.

Having the chief financial officer (CFO)as their boss puts the CISO in direct contact with the financial power on the board. CFOs who are sensitive to risk management may make critical decisions about cybersecurity spending. They also can be the CEO heir apparent.

The downside is that many CFOs want to see returns particularly if they are incentivized on year-over-year earnings growth. This can be challenging for CISOs who may find it difficult to present the financial benefits of cybersecurity investments.

Option #4: Reporting to the CDO

The chief data officer (CDO) is a relatively new corporate role often focused on preserving and expanding the value of corporate data, so there is certainly some overlap with the CISO's role in protecting that data.

However, the CDO tends to see data in ways that clashes with a CISO. A CDO wants to leverage data to increase revenues and can judge a CISO as putting obstacles in the way of making this happen. With their focus on mining data for the business, the ability of a CDO to also support cybersecurity may be limited. Like a CRO a CDO doesn't necessarily report into the CEO, meaning the CISO remains further removed from strategic decision-making and budget-setting.

Option #5: Reporting to the CLO

A rarer model is for CISO to report into an organization's chief legal officer (CLO). This happens when a CEO recognizes the critical nature of cybersecurity and its regulatory demands and risks, and deems that the chief legal officer is best trusted to deal with these matters.  

Legal officers within an organization handle significant issues related to information governance and compliance and have a good idea about corporate direction since they often serve as board secretaries. They also tend to get involved when there is a cybersecurity incident. Unlike the CEO or even the CFO, an organization's legal officer has few other direct reports so a CISO can find themselves a well-regarded adviser.

A drawback of his model is chief legal officers tend to be more engaged in cybersecurity on an episodic basis for example when a breach occurs. They have less interest in cybersecurity as an operational issue to be planned for, monitored and improved.

Option #6: Reporting to the CEO

For a long time, it has been predicted that the CISO would report directly to the CEO; three years ago, IDC predicted that 75% of CISOs would do this. However, this reporting model is still the exception rather than the rule. Those organizations that have embraced this approach are typically tech-centric companies or those that have suffered high-profile cyber setbacks and demands a CISO who is a true business leader.

Reporting to the CEO maintains the independence of the CISO role and can enable a fuller, more open discussion with all the senior stakeholders.  Yet adding the CISO to the CEOs direct reports runs against a trend of CEOs seeking to reduce rather than increase the number of principals who directly report to them. CEOs want less not more distraction from their focus on strategy and operational leadership.

This perhaps explains why those predictions of CISOs reporting to CEOs haven't yet been realized. Many CEOs actually may prefer their CISO reporting into the CIO who can then filter out relevant information.

Option #7: Reporting to the Board

An alternative few companies have considered but is worth exploring is having the CISO report directly to the board of directors or one of its committees.

The board's prime responsibility is to supervise management. As organizations become more digital the board needs to know the unvarnished truth of an organization's cyber performance. A CISO who directly reports to the board can facilitate the process of exchanging critical information that isn't sanitised.  These sessions also could allow the board to get discrete cyber information outside of the main board meetings when their attention is drowned out by a plethora of other issues. A major challenge with this model is whether the board contains enough knowledge of cybersecurity issues to make this engagement meaningful enough.


Overall there are no wrong or right ways to how the CISO fits into the organization. What is important is that a CISO's concerns and recommendations are fully heard and understood. Any reporting model that doesn't close the gap in a common understanding of cybersecurity from differing technology and business leadership perspectives will not be helpful to anyone - CISO, CRO, CIO, CFO, CEO, or anyone else at board level. 


« What does 5G mean for business?


Hired or fired? How data is helping to define the future of work »
IDG Connect

IDG Connect tackles the tech stories that matter to you

  • Mail


Do you think your smartphone is making you a workaholic?