Should a CISO report to the CIO?

Posting date:11 Jul 2019

With the role of a CISO under constant scrutiny it’s hard to know where they stand. Do they report to the board, are they part of IT, are they best suited as part of the permanent function or do we interact with them on a virtual basis?

There are so many questions surrounding the role of the CISO that it’s incredibly hard to stay up-to-date but one debate remains prominent and that’s whether a CISO should report to the CIO.

In the last six months we have been speaking to CISOs across the globe to get their opinion on the current Cyber landscape as part of our new white paper. We ask them about the role of the ‘accidental CISO’, what the future holds and how the title is evolving but one topic that kept arising was the relationship with the CIO, and overwhelmingly, it appears to be a negative one.

One of our contributors raised a vital point – IT is a peer of Cyber, not a superior. 

She went onto explain: “A CISO should aspire to become Head of Information Risk and Compliance. It’s not all about IT. Unfortunately, as soon as the word “cyber” became trendy, the pernicious assumption followed that IT should and could handle all aspects of Cyber. This trivialises the non-IT aspects of security; information does not become irrelevant simply because you have printed it out! A person who knows our acquisition plans isn’t an IT issue, but could be an information security issue, for example.

“Another aspect of this assumption which is troubling is that the CIO’s performance is primarily measured upon system uptime and delivery of new features. Confidentiality, and for that matter integrity, is not as highly featured in their playbook; so, if information security is reporting to them, they cannot prioritise it. Therefore, if the CISO is reporting into the CIO, you have an inherent conflict of interests. IT should be the peer of information/cyber security, not its superior.”

With IT and Cyber arguably having a conflict of interests, is it wrong for us to assume CISOs now report to CIOs? I’m keen to hear your views on the matter – do the two go hand-in-hand?