I'm always shocked at how much pent up energy there is around that particular topic. There are people that feel so strongly that a CSO should never work for the CIO. That CIOs don't understand security and they never give money to security. It gets to be quite an intense conversation. In the last few companies I've worked for, there wasn't a whole lot of debate about how things should roll up. It's like, hey you got this? Make this happen! But I think the best approach is to always be looking at what is right for the company at that given time. Security is important to me. But I understand it only works if IT ops and security ops are willing to work together. Its all about people. A lot of times, everyone wants to spend a lot of time defining roles and responsibilities. Roles and responsibilities are important to understand but it all comes down to people and people behaving in the right way and understanding that there's actually value in us all working together to solve this problem.
Depends on the size of the company and what the company does. For a technology company that is security focused it may make sense. For a company where security is mission critical to the business it may make sense. It also depends on how the board and CEO prioritize their technology function. If technology (CIO/CTO) function isn't overly concerned about security, then it will make sense to pull security out from under those roles so security isn't getting filtered or de-prioritized.
Its important to remember that not everyone with the security lead or CSO/CISO title has the same set of responsibilities. CSO reporting directly to the CEO, allows the CSO to have a higher degree of influence in driving change. However, depending on the organization, the CSO may not have as much time with the CEO due to their range of responsibilities. Ive seen the most success when the CSO is working directly with the CEO, it helps remove friction, barriers and align with the strategy of the business.
I think the only time it’s important for a direct reporting relationship to CEO is when it’s a security products company. This is not from an internal implementation perspective but more from a. Strategic perspective. Thought leadership, product insights, drinking your own champagne all areas that become important at the exec team level. All other times there is a lot of synergy and productivity to be had if you combine the security and IT orgs.
I think CSO must not report to CIO/CTO, cause there is conflict of interests, it will not be effective on any ways on any organization, CSO must look and think about risks, especially in IT. CSO/CISO must report to CEO, that's the best practice!
Don’t agree that it is a conflict of interest. I do believe that type and size of company plays an important and do not believe there is only one model.
If there is a separate budget/P&L and/or separate staff associated with the Office of Information Security from the CIO/CTO budget/organization, then I believe the CISO reporting should be directly to the CEO. As co-members of the C-Suite, you should be effectively compensated to always work collaboratively in the best interest of the company. Effective measures for Information Security expand beyond just IT, including physical/building security. Therefore, this will allow IT to focus on its core capabilities and help it to be more strategic in response to disruption or transformational requirements.
The answer is simple, the CEO needs a single throat to choke. If CISO's role is to be elevated then security should be an organization on its own, till that happens there are too many overlapping responsibilities.
A number of models could be adopted, each with their own pros and cons. Segregation between IT operations and IT security is the mainstream model that works well in companies of a certain size and nature. The latter sets policy and control on the other, but requires close collaboration. It gives the CEO full control of both areas and elevates the importance of IT security within the organization.
At Cisco we have the Security Office reporting to our COO. In addition the CSO sits on the Exec Leadership Team and participates in their regular meetings. It all depends on your size and focus, but from a company perspective it should be one of the top priorities.
The CISO should not report to the CIO when the CIO has a conflict of interest. If, for example, the CIO has a responsibility to deliver applications or products to the business, and he or she has the option of doing so either by incorporating the appropriate security controls or by bypassing the necessary security requirements, the result may be a poorly developed application fraught with security flaws, done so in the name of speed to market. The CIO in these circumstances may be incentivized to accept risk for the organization in the interest of achieving his or her deadlines.
Security should report to the CEO when the CEO has an agenda that requires security to be included into the core strategy and decision-making function of the organization or where security needs the positional authority to achieve the organizational goals. If the CEO doesn’t support security then if doesn’t matter where security is positioned. If the CEO support security then it doesn’t matter where security is positioned. The question comes up because the CEO often doesn’t care about security. The CEO has the same “conflict” of interest that the CIO is said to have and is constantly being pressured by the board in the same way that the CIO is pressured to deliver business results. Changing where security reports to only address two of the primary governance questions. The questions of “What should we be doing from a security perspective?” and “Did we get the expected return on our security investment”. These are clearly leadership questions. Moving where security resides could create conflicts in the other governance areas. These being, “How do we accomplish our security goal?” and “How do we ensure that we do it properly?” For the information security domain, most CIO’s are going to feel that the questions should be addressed in their area and moving these out tends to create friction.
Should ...but typically CISO reports into CIO or COO with a dotted line to CEO or some kind of regular operating rhythm with the CEO