It is astonishing to see the amount of interest still surrounding the reporting line of the CISO. The fact that it is still a topic of serious discussions amongst security professionals is teaching us a few things about the role and its perception: Is the role properly established, identified and accepted in organisations? or is it (still) seen as some form of arbitrary (and bureaucratic) imposition by regulators?
In theory, there should be no debate in the face of a constant avalanche of cyber security issues in the news. The need to protect the firm from cyber threats should be obvious for the Board. One Board member should own the problem and delegate the coordination and delivery of the necessary protective measures to one of their direct reports. Period.
At this point, there are several options available for the reporting line, depending on the cyber security challenges the firm is facing and its digital footprint. Those lead to different role profiles for the CISO which we have analysed in an earlier article.
The right reporting line is always the one that works and get things done, not an arbitrary one that creates barriers, engenders politics and hinders delivery (even if it ticks audit or compliance boxes).
In practice, however, things rarely work so simply. It is not uncommon to encounter problems of understanding at Board level around cyber security issues, leading to adverse prioritisation. Equally, there are often skills issues at Board level minus 1, leading the difficulties in appointing a CISO with the right profile for the role. Looking externally often fails (in particular in large firms) because of the intrinsically horizontal nature of the CISO role, and the need to understand how the firm really works in order to navigate across corporate silos, be credible and make things happen around security.
All this often leads to placing the CISO role by default in the portfolio of the CIO or the CTO, even if those are not Board members.
This is not a problem in itself, in particular in firms that have a strong technological bias, and there are many good ways to make this work efficiently, as we have suggested in the past.
Many security professionals who have an interest in this topic seem concerned with separation of duties issues, and the fact that conflicts of priorities may emerge between the CISO and their boss in those configurations.
