CSOs should report to the CEO

Share this article:
Ronald Prins
Ronald Prins

Today, conventional wisdom has the chief security officer (CSO) reporting to the CIO and on occasion to the CFO. But, as companies face an increasing number of cyber attacks that can negatively impact all facets of their business – from operations and information to reputation and revenue – does this reporting structure still make sense?

The CSO of a global technology company recently had their reporting structure debated at a board of directors meeting. The board considered it a conflict of interest for the CSO to report to the CIO, since the greatest vulnerability and most mitigation techniques fall to IT. They worried about transparency and objectivity and the CSO's ability to say, “the emperor has no clothes,” so to speak. Under CFO “ownership,” the board was concerned that a financial view of security management would put the CSO in a continually defensive position on spending. Reporting to the chief counsel had its merits for compliance, but members were concerned about agility. 

Ultimately, they decided this role should report to the CMO. That's atypical, although in this company's case, the CMO was considered a “change agent.” While it may make sense given the serious brand reputational risks posed by security breaches, marketing is rarely equipped to act in real-time to address large-scale operational, HR or legal issues. 

CSOs need to be able to function at the highest levels of an organization while not being tethered to a specific department or operational function. 

And the CSO's job requires immunity from corporate politics – ensuring that a company has the most agile and effective cyber prevention, detection and response across the entire organization. You can't “turn off the internet” while going through multiple levels of decision-making.

To be successful, the CSO must report directly to the CEO.

Share this article:
You must be a registered member of SC Magazine to post a comment.

Sign up to our newsletters

TOP COMMENTS

More in Opinions

Me and my job: Michael Canavan, Kaspersky Lab North America

Me and my job: Michael Canavan, Kaspersky Lab ...

We catch up and learn a bit more about Michael Canavan, senior director, systems engineering, Kaspersky Lab North America.

Embracing BYOD...with safeguards

Embracing BYOD...with safeguards

It's possible to safely manage the security risks posed by BYOD, says Anders Lofgren at Acronis Access.

Becoming a "security thinker"

Becoming a "security thinker"

Active security thinking ensures that we don't simply perpetuate security folklore.