Who should the CISO report to? Needing justification.

SoCalGuy858

I'm currently putting together justification for a proposal that would move my company's InfoSec organization out from under IT and make our senior security person on the same level as our senior IT person. I've got quite a few article-based sources for reasoning, but I'm looking to see if anyone has any sources for white papers or anything more official. SANS has come up with one item, but it barely touches on the position we'd like to communicate.

Anything would be appreciated!

tpatt100

I remember reading several reasons as to "why" but the biggest was due to conflict of interest so I would look for that first. Your senior IT person can run interference for all of your senior security person's concerns and make his position almost worthless.

tpatt100

This LinkedIn post brings up some good points:

5 Reasons the CISO Should Report Directly to the CEO and Board

Increasingly, it is the board of directors and CEO that are held accountable by the shareholders and the public in the event of an information security incident. So they deserve to be opportunity to make the key security decisions after being briefed on the company’s security posture and threat landscape directly from the most senior security expert in the company and having the opportunity to question this expert.

If the CISO reports to the CIO the senior IT person may try and sweep issues under the rug if the findings reflect poorly on the CIO. This requires proper soft skills when it comes to employees and management working together rather than finger pointing.

This reporting structure gives the CISO access to the business leaders so that they can better ensure that the security strategies are aligned with business strategies.

This is important but I wonder if current CEO's are being educated properly to include a high level understanding of e-commerce, privacy laws and the importance of security. The new and up coming generation is being raised on stories of security breaches but the old timers are probably ignorant and need direct interaction between the CIO and CISO to better coordinate available resources rather than getting second hand security information from the CIO.

In my current role I am becoming disenfranchised because I was hired by the President of the company but report to the IT manager so all of my concerns are being filtered

Mishra

Always an interesting topic for companies. I've seen many different approaches.

Only advise is to do a job search for CISOs and come up with your own data on who the position reports to.

the_Grinch

CISO should report directly to the Audit Committee. This allows him/her to voice concerns and take a risk based approach to security, which the audit committee will understand. Also, this takes him/her out of the "business is all that matters" approach that often happens at companies. I've seen it on multiple occasions where marketing or another business unit wants a new piece of tech or access to data asap (controls be darned) and if the ISO is reporting to the CEO or CIO they get trumped.

TechGuru80

the_Grinch wrote: »

CISO should report directly to the Audit Committee. This allows him/her to voice concerns and take a risk based approach to security, which the audit committee will understand. Also, this takes him/her out of the "business is all that matters" approach that often happens at companies. I've seen it on multiple occasions where marketing or another business unit wants a new piece of tech or access to data asap (controls be darned) and if the ISO is reporting to the CEO or CIO they get trumped.

Not exactly...the CISO needs to report to the top aka the CEO (or board...not sure if that is what you meant by audit committee but generally it would be to the CEO). The CEO ultimately will go down along with other executives of security if not done correctly.

The CISSP cbk has some good breakdowns of pros/cons of security reporting to various areas. Basically for IT, IT is concerned with availability and has conflicting interests with their own projects and milestones. As a lot of us know the common saying by the organization..."security is just a roadblock". By having the CISO report to the top, views are unbiased and free of other pressures that would let security be loose. In the end security is more of a consultant but we need to be consulting to the ultimate decision maker who has the entire view of the organization...especially from a risk management point of view.

OctalDump

My inclination is that CISO should report to CEO and/or the board. It probably does matter what the local law is, and what the governance requirements are, but in general, the CISO can deal with issues that require them to circumvent all other hierarchy.

If you put CISO under IT, then there will be an inevitable conflict between accountable and responsible.

tpatt100

Yeah the CISO should report directly to the CEO, the Auditors should also report directly to the CEO to avoid conflict of interest.

colemic

Ideally, the CISO should report to the CEO. However, in reality, that rarely happens. It is good that you are trying to move it away from IT - as CISO, managerially I report to the Chief Risk Officer, but work closely with the CIO and IT Ops... We are trying to move away from that, but reporting to the CRO has given me a level of independence and objectivity I wouldn't have had otherwise.

Those are pretty much your three choices. The Texas CISO Council Guide (http://media.wix.com/ugd/618c85_f1e315b1e92844fcaebc9612fd1157c5.pdf ) has a GREAT breakdown on this.