Companies are increasingly recognising the importance of having a top-level executive dedicated to security issues. That's one of the big findings of IDG's 2020 Security Priorities Study: 61 per cent of surveyed companies have a security pro in the top ranks, and that rate goes up to 80 per cent for large enterprises.
In companies that employ such an executive, they play an important role: the same study found that companies without a CISO, CSO, or other top-level security executive were more likely to say their employee security training was inadequate and their security strategy was insufficiently proactive than those who had such officers.
But not all of these executives sit in the same spot on the org chart, and that can affect institutional culture and security outcomes. Security is a role that inevitably butts heads with others, since a security pro's instincts are to lock down systems and make them harder to access—something that can conflict with IT's job of making information and applications available in a frictionless way.
That drama can play out at the top of the org chart as a CISO/CSO vs. CIO battle, and the contours of that fight are often established by the lines of reporting within an organisation: if the top security exec reports into the leadership of the IT department, that can constrain the CISO's ability to execute strategically, as their vision ends up being subordinated to IT's larger strategy.
Among the organisations surveyed in the 2020 Security Priorities Study, almost half of security chiefs had a direct connection to the top. In 34 per cent of cases, the top security executive reported to the CEO, and in another 12 per cent they reported to the board of directors.
Meanwhile, 33 per cent of the time, the CISO or equivalent reported into a corporate or divisional CIO. The rest were scattered under different silos, reporting to officers like the chief risk officer or general counsel.
Perhaps unsurprisingly, smaller companies tended to have flatter organisational arrangements: the study found that 59 per cent of top security execs at SMBs reported to the CEO, whereas that was true at only 22 per cent of large enterprises.
Another interesting, if unsurprising, correlation: security execs who have the ear of top management are more likely to win a larger portion of the IT budget for security purposes. That's clear from the 2019 State of the CIO survey.
Companies that spent less than five per cent of their IT budget on security were equally likely to have their CSOs report to CIOs or CEOs; but at companies that spent 10 per cent or more on security, the CSO was almost twice as likely to report to the CEO.
The effect was even more pronounced at companies where the top security title holder was CISO: only three per cent of CISOs at companies that spent less than five per cent of their IT budget reported to the CEO, but 26 per cent of CISOs at companies that spent more than 10 per cent did.
What's in a title?
Since we've been juggling different titles here, let's talk about them for a moment. There are some broad trends in usage that may seem to distinguish CSOs from CISOs. In general, according to the 2019 State of the CIO research, CSOs tend to be higher up the org chart: At respondent companies where the top security exec has a CSO title, 43 per cent report directly to the CEO; but only 18 per cent of CISOs report to the top.
And nine per cent of survey respondents said their chief infosec executive reported in to someone with a CSO title, indicating that job sometimes included duties beyond IT, most notably physical security.
But there are plenty of exceptions, and for many companies the CSO job is purely technical in scope. Rather than try to draw a hard-and-fast distinction, we'll use "CSO" generically to refer to a top-level security exec, with the assumption that most if not all of their job duties focus on information security. Indeed, many of the experts CSO interviewed for this article use CISO and CSO interchangeably.
Safe in the nest of IT?
Companies as a rule don't start off as giant enterprises: they grow into them, and often their reporting structures are formed in the process of that growth. In relatively new companies, a structure where the CSO reports to the CIO or other head of IT is common, says Edward Marchewka, founder of Chicago Metrics.
This is especially true if, as he puts it, "there is a good deal of blocking and tackling still left to do—basic processes like ensuring proper firewall rules or timely application of security patches or even basic inventory of company asserts. It is hard to protect information and devices if you don’t know where it is."
Paul Wallenberg, unit manager of Technology Recruiting Services at LaSalle Network, says this arrangement works well to give the CIO the full lay of the land in IT, with "comprehensive visibility across all information technology domains rolling up to one central person."
But as a company grows, security can find itself chafing under the CIO umbrella. In particular, a CSO might find that their job doesn't necessarily have the same goals and incentives as the rest of the IT department. Dave Burg, Principal at EY Advisory Americas says that a structure where a CSO reports to a CIO can result in "over-leveraging towards cost management as opposed to risk management."
Alexander Yampolskiy, a former CSO who's now CEO of SecurityScorecard, puts it more bluntly: a CIO "is usually rewarded for delivering business projects, which affect revenue. The CISO's job is to fix vulnerabilities—and those security projects will always create tension for resources with revenue-driving projects."
There's also the matter of differing priorities: a CIO has a long list of goals, and if the CSO is under their umbrella, they may find themselves shunted to one side in the quest to complete a big project. Brian Brammeier, CEO of HigherGround Managed Services, describes a scenario he encountered within a company where he consulted. "There was a major security issue that was leaking data.
The CIO was notified, but it didn’t get the priority that was needed because he didn’t classify it as a drop-everything-and-fix problem—which it was. The director of security approached the board because of the gravity of the issue, and they changed the reporting structure so that the CISO reported directly to the board.
"When a security issue is discovered, people may be defensive," Brammeier explains. "At onset, it doesn’t matter who’s fault it is; the issue just needs to be resolved."
But in the real world, not everyone is so broad-minded, and not every conflict between a CSO and their CIO boss is going to end like the episode Brammeier describes. "Yes, you can inform the board of your disagreement with the direction the CIO is taking," says Kudelski Security's Hicks, "but it typically does not help with your longevity as a CISO."
Reporting into a CIO can constrain a CSO's ability to execute strategically, says Bil Harmer, CISO at Zscaler. CSOs in that position "are both financially and personally invested in the security posture they have advocated for," he explains.
"The perceived repercussions of admitting the security architectures they have built are no longer effective can create a lot of pressure, and the CISO is therefore less likely to tear it down and adjust when needed. Overall, CISOs don’t feel empowered or encouraged to pivot in ways that benefit the overall business."
Having a direct line to higher ups in the company can help break CSOs out of that trap. "Once the tech side of a company has matured," says Chicago Metrics' Marchewka, "the security organisation can transition to more of a risk-based approach and report into higher parts of the business."
Indeed, most of the people we spoke to felt that a good sign of a forward-thinking company is a CSO who doesn't answer to a CIO, but who is instead in a position to think like one of the company's leaders.
Several executives we spoke to touted an organisation where the CSO has more of a coordinating role across multiple departments. "The 'command and control' CISO who owns everything security related is no longer a valid construct," says BluVector CEO Kris Lovejoy. "The CISO becomes a committee chairman, responsible for gathering and communicating cross-organisational metrics that will be packaged and presented to leadership."
Netskope CISO Lamont Orange adds, "In this model, security architecture resides in each of the functional areas of the organisation, with the CISO providing governance and transparency."
In other words, the CSO needs to get out of the IT silo. "The days of the CISO being completely IT-centric and as such being in a role under the CIO is gone," says Brian Contos, CISO for Verodin.
"Managing security effectiveness and risk management transcends IT and has to operate at an executive level so that technical and non-technical decision makers can be armed with evidence-based data in order to make business decisions more effectively and efficiently from an informed position."
Powwows with bigwigs
Getting the ear of those decision makers is one of the most important reasons why a CSO might want to get out from under the IT umbrella—and the closer you can get to the top, the better. "In an ideal world, a CSO/CISO would report directly to the board of directors," says Kudelski Security's Hicks.
"Given the political realities at most firms, I think a more realistic target is to report to the CEO or equivalent. For a CISO or CSO to be truly effective, they need access to the central decision-making process and the authority to participate in that process as an independent voice.
"To truly provide guidance to the organisation around the security of its information and assets, you need to be in the executive level decision-making conversations. And not simply as an observer: you need a full vote."
The many org chart possibilities
Most of the execs we spoke to acknowledged that a CSO reporting to a CIO is still the most common scenario, but was in many cases not ideal. When asked about their preferred reporting alignment, they had a host of suggestions.
Having top leadership's ear has concrete and practical benefits when it comes to getting the resources a CSO needs.
"Typically, in successful organisations with a strong culture of security, we see the CSO report to leaders such as the CFO or COO," says Chris Duvall, Senior Director at The Chertoff Group. "These leadership roles are often heavily involved in the day-to-day decision making and have the ability to understand and incorporate long-term security needs into capital expenditure planning, as well as to resource and extract 'emergency' requirements and funds when necessary," he says.
A CSO who reports to the top is taken more seriously, which can only add to their job satisfaction. An organisational distance from decision makers "is one of the most common reasons the average tenure of a CISO is around 18 months," says Hicks. "It’s not an easy job to begin with, and if it’s not set up for success, it's untenable over the long term."
If a company is looking to hire a new top security exec, according LaSalle Network's Wallenberg, it "will have more success in attracting top-tier talent if the CSO reports to the CEO."
But it's not just the CSO's personal happiness that's on the line: it's the company's security. A CSO will be most satisfied at a company that takes security seriously, and giving the CSO a direct connection to top leadership is a part of that.
"If a breach can paralyse a business, then the CISO should report into the CEO," says Karin Klein, a founding partner of Bloomberg Beta. "It's as simple as that. It's about shifting the mindset of CEOs to make sure their security plans are buttoned up. When a CISO reports directly to the CEO, the information flow is direct and immediate. It also signals to the whole company and its stakeholders (employees, customers, the board, investors, etc.) that security is a top priority."
Increasing regulatory security requirements also make the case for a CSO who reports to leadership independent of IT's oversight.
"In the regulatory climate affecting businesses today, it behooves an organisation to place the CISO/CSO in an organisational position where they have independence and oversight abilities, and can act as a business adviser for security functions and features," says John Kronick, director of Cybersecurity Solutions at PCM. If the CISO is under the CIO, he says, "there is no independence or objectivity by the CISO, and any CISO assessment work would potentially be tightly controlled or restricted as to render it worthless."
In the end, the changing legal and threat landscape will align to make the CSO a co-equal partner of CIOs and other execs for a simple reason: the bottom line.
"Recently, there have been security breaches that have affected company stock prices," says SecurityScorecard's Yampolskiy. "For example, the Equifax stock price has not yet recovered after the company's big breach, just as Sony's stock price hasn't after the PlayStation breach and theft of internal documents. As more high-profile events like those happen, we expect the CISO in the next few years to start entering the senior leadership teams of companies."
Editor's note: This article, originally published on June 12, 2018, has been updated to more accurately reflect recent trends.