Today, conventional wisdom has the chief security officer (CSO) reporting to the CIO and on occasion to the CFO. But, as companies face an increasing number of cyber attacks that can negatively impact all facets of their business – from operations and information to reputation and revenue – does this reporting structure still make sense?
The CSO of a global technology company recently had their reporting structure debated at a board of directors meeting. The board considered it a conflict of interest for the CSO to report to the CIO, since the greatest vulnerability and most mitigation techniques fall to IT. They worried about transparency and objectivity and the CSO's ability to say, “the emperor has no clothes,” so to speak. Under CFO “ownership,” the board was concerned that a financial view of security management would put the CSO in a continually defensive position on spending. Reporting to the chief counsel had its merits for compliance, but members were concerned about agility.
Ultimately, they decided this role should report to the CMO. That's atypical, although in this company's case, the CMO was considered a “change agent.” While it may make sense given the serious brand reputational risks posed by security breaches, marketing is rarely equipped to act in real-time to address large-scale operational, HR or legal issues.
CSOs need to be able to function at the highest levels of an organization while not being tethered to a specific department or operational function.
And the CSO's job requires immunity from corporate politics – ensuring that a company has the most agile and effective cyber prevention, detection and response across the entire organization. You can't “turn off the internet” while going through multiple levels of decision-making.
To be successful, the CSO must report directly to the CEO.