In Episode 6 of our Security Leaders Perspectives series, security leaders take a look at reporting chains and discuss who they believe a CISO should report to in a “perfect” organizational structure.
IT Operations and Cyber Should Have Equal Voice – Mario Memmo
“As long as you’re getting the voice at the executive leadership team and the senior executive level including the CEO, it’s less about who you’re reporting to than reporting out what the risks are to the environment.”
Mario explains that at the executive leadership level, it is critical that IT operations and cyber have equal voices. When CISOs report to a CIO, cyber often takes second place to ops because many CIOs are focused on operations. Mario suggests that the exact organizational structure doesn’t matter as long as cyber has been given the voice and visibility that it needs at the executive level.
Build the Necessary Relationships – Leon Ravenna
“Wherever you sit in the organization, I would argue that you can be effective as long as you’re working on building the relationships that are necessary.”
Many people say that the CISO should report directly to the CEO, but Leon states that this reporting structure isn’t necessary if you’ve built a relationship with the CEO. By building a collaborative relationship based on building things better and more securely, a CISO can be effective while reporting through the CFO or another C-level position.
Converged Security is the Ideal Structure – Larry Trittschuh
“I think the right answer is the converged security model.”
Cybersecurity and cyber risk are one component of an organization’s risk. Instead of a CISO, Larry suggests that a better position is a CSO, with responsibility for physical fraud, cyber, privacy, and risk and compliance. Larry explains why he feels that this position, reporting to the CEO or COO, is probably the ideal structure.
“You close those 100 holes correctly. And then it’s time to circle back and start again and make sure you’re still covered.”
As defenders continue to develop and improve their defenses, attackers are looking for ways to bypass and overcome them. A defender needs to plug all of the holes, but an attacker only needs to find one. Cybersecurity is a continual cycle of plugging holes and then circling back to start over and make sure that they are all still closed.
Everything Changes – Larry Trittschuh
“The technology is going to continue to advance. The threats are going to continue to evolve and advance.”
The cybersecurity industry is constantly evolving as technology and threats advance. We’ll never “be there” because we need to constantly work to improve and respond to this changing environment.
IT and Security Should Be Equal – Tim Tillman
“When security is a standalone object, it is granted the authority that it needs to implement policy, to change policy, to enforce policy.”
Cybersecurity is often an afterthought when it’s considered as part of the IT services. In a perfect world, Tim feels that the CISO and the CIO should be equal and work together. With security as a standalone object, it has the authority to define and enforce policy.
Who Will Best Support the CISO? – Benjamin Corll
“It really comes down to the business itself. It comes down to what the mission is and who is best going to support that security officer.”
Benjamin explains that every organization is unique; some are in the business of making money, while government agencies and nonprofits have different goals. He feels that the CISO should report to the executive that will best support them. Security’s focus on risk management means that the CRO is often a good fit for a direct report, but this can vary from one organization to another.
CISOs Need Autonomy to Do Their Jobs – Aric Perminter
“The CISO needs to have no concerns or worries about what he or she needs to report as part of their job.”
Aric suggests that a CISO should report directly to the CEO because they need to be able to raise red flags without being fired. Otherwise, it’s almost like the fox watching the henhouse. A CISO needs to be someone who can communicate what risk is in a common language across the entire organization without any fear of the ramifications of what they’re reporting.
Youtube: Security leaders are asked whom CISOs should ideally report to. They discuss how different reporting chains impact CISOs’ abilities to do their jobs.