Friday, March 22, 2019

Who should a CSO/CISO (Chief Security Officer / Chief Information Security Officer) Report to?

I have been a CEO, interim CIO, and now am a management consultant. I recommend to my clients that the CSO/CISO role be set up as a peer of the CIO. They should, therefore, have the same reporting structure as the CIO (CEO or board). The reason that the CISO should not report to the CIO is because the CIO has competing responsibilities (pressure to reduce costs, keep up with technological change, deliver business as usual, and work with the CMO / business units to deliver innovation). In today's environment, security and information privacy can not be part of a trade-off. A company needs a CISO who can push back and make sure that up-to-date security and data protection are implemented, regardless of competing priorities. The CISO needs his own team of security architects / auditors who can examine new and existing applications, give them regular checkups, and offer prescriptions for security best practices.