As a CISO myself, I have a vested interest in this question that at first glance, appears to be quite simple. After all, there seems to be little debate as to where other C-officers should report. While there has been some discussion about certain C level offices such as the Chief Privacy Office (CPO) or Chief Compliance Office (CCO), these discussions are relatively tame compared to the heated verbal discussions that I have witnessed and been a part of over the past few years.
The fact that this question is asked at all is an indication of establishment and growing acceptance of the CISO role and function. In 2006, only 22% of the more than 7000 organizations responding to the PWC annual information security survey reported having a CISO or equivalent. By comparison, in 2011 more than 80% of the organizations responding to the survey reported having a CISO.
There is strong disagreement about where the CISO should report. The prevailing recommendation from most who write on the topic say that absolutely the CISO should not report to the CIO. In their view, to have the CISO report to the CIO or the IT organization represents an inappropriate segregation of duties. However, the fact is that 40% - 60% of the existing CISOs do report to the CIO or IT executive, depending on industry. And there is evidence that in some industries there is a clear trend for the CISO to report the IT organization.
Even if we would agree that the CISO should not report to the CIO, that does not answer the question. Where should the CISO report? If you ask that question of seven world class organizations, you might well get five world class answers, all which will be vehemently defended as the right organizational answer.
Interestingly, in a joint research study we conducted with Ponemon on Application Security Maturity, 28 percent of respondents felt that the CISO should be primarily responsible for ensuring security in the application development life cycle in their organization. What types of responsibilities a CISO carries is often tied into what personality type the organization needs in a CISO. In my next blog, I’m going to describe the different CISO personality types (Technical, Business, and Strategic), how to match the personality type with the security needs of the organization, and where they should report in order to be successful.