CIO vs. CISO vs. CEO: Cybersecurity Reporting Structures

Written by Sabrina Pagnotta

Senior Content Marketing Manager

Every organization handles security differently, based on their needs and internal structure—but in some mid-sized and large companies, both the chief information officer (CIO) and the chief information security officer (CISO) are involved. This can set up a CIO vs. CISO standoff. Indeed, historically, the relationship between the CIO and CISO has been described as adversarial but ever-evolving. While organizations today don’t question the value of a CISO, there is also debate about who the CISO should report to: the CIO, CEO, or even CFO?

Reporting directly to the CIO could lead to the CISO being cut off from the rest of the organization and struggling to get buy-in for security initiatives. Likewise, the CIO may not have the security expertise that the CISO does, setting up potential tension that gets in the way of an effective information security strategy. That being said, fostering a strong relationship between these two C-level roles is critical in managing security and risk.

Below, we’ll discuss some of the unique roles both the CIO and the CISO are known to take on and how these two individuals (and their departments) should work together to accomplish common goals. We'll also walk through the reporting structure amongst cybersecurity roles.

CIO vs. CISO: Who Does What?

The Role of the CIO

Traditionally, CIOs have focused on information systems and digital management. They are the owners of the IT side of the enterprise and typically support the business with technology solutions. Today, CIOs help companies turn away from legacy solutions and outdated processes in an effort to modernize technology in their organizations. They are also always looking to make processes more efficient.

More recently, the role has evolved to include more cybersecurity-related tasks. Security tools are embedded in day-to-day IT activities and processes. The CIO may, for example, ensure there is a secure process for cloud-enabled applications in an organization. They may also use tools that provide a snapshot of overall security performance so they can view and report on the “big picture.” Some may even benchmark their own organization’s performance so they can see how the company’s security program stacks up.

The Role of the CISO

The CISO’s role is all about managing information security risk throughout the data lifecycle. This individual must know:

Where critical data is located: on-premise, across geographies and remote locations, and in the cloud.
How the organization’s IT infrastructure and systems are interconnected so that data can be secured in-transit and at rest.
Which vendors have access to the organization’s network and data, and the security posture of those vendors.
Where vulnerabilities exist across the attack surface, both internal and external.
What the company’s risk threshold is should the data become compromised.
How to protect this data while supporting the business’ objectives.
What to do in the event of a cyber incident.

CISOs are instrumental in defining and implementing a cyber risk management framework to properly govern, evaluate, and respond to risks involving the company’s protected data.

They are also heavily involved in vendor risk management (VRM) of the organization’s third and fourth parties. In this capacity, CISOs must:

Work to streamline the vendor due diligence process so that the company’s vendor ecosystem can scale easily to meet the growing needs of the organization.
Understand the security posture of vendors before they are onboarded and ensure they are within the company’s risk tolerance.
Make certain critical data is only accessible to those who need access to perform required tasks.
Continuously monitor third parties for cyber risk from procurement all the way through the vendor relationship.
Be prepared to react quickly when third-party or supply chain vulnerabilities and zero day events are detected.

As you can see, the role of the CISO carries enormous responsibility, and with cyber risk now firmly a boardroom issue, the CISO must also communicate information about the organization’s security posture to executive stakeholders clearly and directly, and couched in terms they will understand. This includes risks from new business partnerships and vendor relationships, new technologies, and the company’s financial exposure to cyber risk.

The CIO & CISO Relationship

Both the CIO and the CISO are there to protect and manage assets and information, but from two different viewpoints—and that’s a good thing. For example, the CIO’s function is to ensure systems and information are available and accessible to whomever needs them. Meanwhile, the CISO’s function is to ensure proper policies, controls, and insights are in place so that the security teams can discover and counter the daily threats the organization faces.

Whomever the CISO reports to, the relationship must be transparent, collaborative, and respectful. When the relationship is solid, the CIO and CISO can draw on each other’s expertise in making risk management a top priority, make smarter investments, and ensure security is embedded in every technology initiative.

It's Not CIO vs. CISO—It's CIO and CISO

Security cannot exist in a vacuum—thus, a company with a solid risk and security plan cannot rest entirely on the CIO or the CISO’s shoulders. Both sides must understand the other’s perspectives and priorities, leverage integrated cyber risk management solutions to guide and harmonize decision making, and report effectively to the board. When this happens, everyone wins.

Cybersecurity Reporting Structures

Cybersecurity and cyber risk are increasingly getting their own C-suite positions. From 2016 to 2017, the number of organizations with a CISO (chief information security officer) rose from 50% to 65%. Other security and risk-related executive positions like chief risk officer (CRO) and chief data officer (CDO) have also grown in popularity.

The introduction of these new roles, however, comes with potential confusion about who should report to whom, and questions about how to implement structural changes. These aren’t just logistical problems, either; reporting structures within the C-suite can influence the effectiveness of an organization’s cybersecurity strategy. Below, we discuss what we’ve learned about the impact of reporting structures on risk and security.

Who’s in charge of cybersecurity?

In the past, it was typical for cybersecurity to be governed by the chief information officer (CIO). However, cybersecurity is getting more complex and requires constant awareness of new threats, frameworks, regulations, and best practices. Therefore, in the current climate, enterprise cybersecurity should have its own C-level position. This position is most commonly given the title of chief information security officer (CISO).

Who should the CISO report to?

Every organization is different, so there is no universal reporting structure. However, there are a few common practices for CISO reporting, each with their own pros and cons.

Should the CISO report to the CIO?

The CIO, being in charge of the IT department, has extensive knowledge about the technical side of cybersecurity. However, cybersecurity involves far more than just IT — other departments need to be involved in order to create a truly secure organization.

Reporting to the CIO may come at the expense of the culture, procurement, and operations functions of cybersecurity, such as promoting company-wide security awareness, assessing cyber risk while onboarding new vendors, and making sure that operating procedures follow security best practices.

It’s also important to consider where the CIO falls in the reporting structure of the organization. The next step up in the reporting line can have an impact on the decisions that affect cybersecurity and risk. Only 56% of global CIOs report directly to the Board or CEO — with each additional go-between in the reporting structure, you run the risk of complex issues getting lost in translation.

Should the CISO report to the CRO?

Reporting to the chief risk officer (CRO) can improve organizational understanding of cybersecurity and its relationship to overall risk. A CRO can come up with risk-based justifications for cybersecurity improvements, and make a case for the CISO’s proposed programs and initiatives. While CRO was originally a finance-focused position, the role is evolving, along with the ways risk is evaluated.

In some organizations, however, CRO remains primarily a financial position, and the CRO may not report directly to the CEO or Board. If financial issues are allowed to supercede cyber risk concerns, important cybersecurity initiatives may fall through the cracks.

Should the CISO report to the CFO?

Because the CFO’s priority is the financial health of the organization, a CISO reporting to a CFO might be unduly burdened with justifying spend.

It can be difficult to prove the effectiveness of cybersecurity initiatives, and unless the CISO can consistently demonstrate in a quantitative way how their proposals will benefit the company financially, this reporting structure can result in conflict and frustration.

On the other hand, this structure can also challenge the CISO to question their resource allocation, and that can be a positive thing. Using tools like security ratings, it’s possible to assess cybersecurity performance in relation to specific initiatives and spend money more strategically.

Should the CISO report to the CEO?

When the CISO reports to the CEO, it allows the security program to maintain independence from other departments and prevents cybersecurity goals from being hemmed in by financial concerns.

For industries in which cybersecurity is a major priority (e.g. finance, healthcare, retail, utilities) reporting directly to the CEO is perhaps the most effective reporting structure. In addition, if an organization has suffered a high-profile data breach, cybersecurity should probably be directly under the CEO’s purview, and direct communication between the CISO and CEO will expedite the decision-making process so that cybersecurity issues get resolved more rapidly.

Reporting to the CEO does have potential downsides. CEOs may have less hands-on knowledge of cybersecurity than other executives, and less time to spend listening to and thinking about cybersecurity concerns.

Should the CISO report directly to the Board?

Some CISOs report to the Board, giving them the ability to communicate directly with the highest-level decision makers about cybersecurity needs. However, reporting complex subject matter to the Board takes skill. No matter how much technical knowledge a CISO brings to the table, they need to be an experienced communicator as well.

When reporting to the Board, a CISO needs to keep in mind that most Board members aren’t cybersecurity experts. While they probably have a broad understanding of their industry’s most pressing cybersecurity concerns, they may not be familiar with the specific facets of a security program.

Board-level presentations should focus on the big picture, demonstrating how cybersecurity initiatives — including those that go beyond IT — can improve the organization’s financial, reputational, and operational health. A good way to communicate this big-picture impact is to keep the Board updated with easy-to-understand cybersecurity metrics and KPIs, such as security ratings, in order to demonstrate measurable progress.

CIO vs. CISO vs. CEO: Who Does What?

Tags: