In my previous blog posts, I talked about who the CISO typically reports to today, and my thought that personality should drive where the CISO position resides. In this blog, I’m going to talk about the three major CISO personality types.
While no CISO can be described purely one type, these descriptions provide some insights to the question of where the CISO should report.
- The Technical Information Security Officer (TISO)
The TISO specializes in the management of technical security issues and security operations and monitoring, functions, including, managing firewalls, IDS/IPS infrastructure, etc. The TISO also coordinates and manages technical policy, control and assessment activities. This individual should report to the CIO, CTO or IT management. - The Business Information Security Officer (BISO)
The BISO specializes in information security issues relevant to the business such as how to securely implement customer-facing technologies and how to appropriately protect customer information. A major purpose of the BISO is to ensure that the business unit or division understands that information security is a business requirement like any other business requirement. This individual also assists in the implementation and translation of enterprise security requirements, policies and procedures. Additionally, this individual should perform self-assessments or, at a minimum coordinate identified business related security issues. Ideally, a BISO should be embedded in each major business unit or division. BISOs should report to business management. - The Strategic Information Security Officer (SISO)
The SISO specializes in translating high-level business requirements to enterprise security initiatives and programs that must be implemented to achieve the organization's mission, goals and objectives. The SISO must coordinate with the OPSO and BISO functions to ensure appropriate progress and traction. The SISO should also be responsible for metrics, dashboards and executive reports and assessments on the State-of-Security (SOS) within the enterprise and to the Board of Directors. The SISO should report to an executive management function such as the CRO, COO, Chief Legal Counsel, Chief Operating Officer or to an executive management committee. One consideration in the reporting relationship is will the executive be able to appropriately support the SISO. For example, if reporting to the CEO, will the CEO have enough cycles to spend the appropriate time with the SISO. Finally, the SISO should be able to represent the corporation externally, e.g., with third parties or in Cyber Insurance discussions.
You may infer that more than one CISO type maybe needed for an organization - you may be correct. In fact, for some organizations one CISO is not enough. Seven percent of organizations responding to the 2011 PWC global information security survey reported having more than one CISO.
So, to whom should the CISO report? The short answer is to the most effective manager, given the type of CISO that the enterprise needs and the contextual factors which are relevant.