News & AnalysisNewsletterSecurity

Why CISO’s Reporting Structure Needs a Relook?


With high profile cyber threats reaching historic levels during the pandemic, the CISO’s role comes to the spotlight. The State of Cybersecurity 2021 (Part 2) from ISACA in partnership with HCL Technologies, shows that the CISO’s reporting structure needs a relook in the complex post-Covid 19 security landscape.

The survey notes that while half of the security teams report directly to the CISO (48%), a quarter reports to the CIO, followed by 12% that report to the CEO. Of the organizations that have their security teams reporting to their CIO, it is possible the CISO also reports to the CIO, the report notes.

An earlier ISACA study found that when the cybersecurity teams report directly to a designated and experienced cybersecurity executive (CISO), they report having significantly more confidence in their team’s capability to detect attacks and respond effectively. This indicates that despite their elevated role, CISOs’ reporting dilemma continues. And for that it is important to trace back the origin of modern-day CISO’s reporting structure.

CISO’s reporting dilemma

Earlier, CISO’s role was confined to that of the IT security manager which was a more technical one. As security threats exponentially increased and their impact on the companies became significant, this back-office role grew in stature, even though the CISO role in most companies was viewed as an adjunct C-suite role. But with the boards increasingly recognizing security threats as the top risks for companies, this role is fast finding its place in the C-suite. Despite this, in most organizations their role tends to be less business-savvy and more technical.

A Ponemon Institute report finds that owing to an ambiguous reporting structure in most companies, the CISO’s role is confined to viewing problems including business challenges, from a technical prism.

Interestingly, even today, in most organizations the CISO reports to the technology head of the organization and in worse scenario, to someone with little knowledge of security or technology.

The Ponemon report for instance found that 50% of CISOs report to the CIO, and another 46% report to CTO, CFO and COO respectively. Only 4% indicated that they report to the CEO or board. It observes the reporting structure of CISO in the C-suite directly affects his or her effectiveness and confidence in mitigating threat incidents.

CIO and CISO partnership is vital

In this respect, the CIO’s role is deemed vital in the organization’s overall cyber security strategy and the roles need to be more collaborative to achieve business results. In a recent article by McKinsey, Oliver Bevan, an associate partner in McKinsey’s Chicago office, and his co-authors, observed, “The CIO team has an equal stake in addressing cyber risk throughout the processes. Their equality is absolutely essential, since CIO and team are primarily responsible for implementation and will have to balance security-driven demands for their capacity with their other IT “run” and “change” requirements.”

With changing times, both the CIO and CISO roles are expected to play a more collaborative role. “Now, they realized that security cannot exist in a vacuum, so both executives are focused on understanding the other’s perspectives and working towards the same goals of accessibility, security and organizational resilience,” Sheril Jose, DGM-IT and Head- Cyber Security at Pune-based Emcure Pharmaceuticals, remarked.

In fact, research shows that CISOs are more effective when they are viewed as equal partners within the management structure. Leigh McMullen, research vice president at Gartner, noted in his blog that security leaders must strategically balance between the business and IT and therefore his/her collaboration with the CIO has to be the sound.

CISO role in the new spotlight

Therefore, it is crucial to define who is involved in security-related decision-making in an organization and ensure that these individuals are empowered to make business-based risk management decisions. In this regard, a strong leadership is critical to the effectiveness of an information security program, believe ISACA researchers.

Experts believe, in the era of remote/hybrid workplace, if CISOs wish to play a bigger role, they must not only have the necessary technical expertise and leadership skills, but also understand their company’s operations and articulate security priorities from a business perspective.

“CISOs need to be able to clearly articulate how cybersecurity strategy is connected to IT and business strategy, and CIOs need to be able to do the same with how they link IT to cybersecurity and business goals,” Vishak Raman, Director, Security Business, Cisco India & SAARC said in an interview with CXOToday.

Raman said, “Nurturing a culture that recognizes cybersecurity as a top priority is critical. To achieve this, there needs to be a synergy between business and security leaders. They will be instrumental in accelerating their organization’s recovery and shaping its new phase of growth, with security at the center of and foundational to all business imperatives.”

CISOs are more likely to be effective when they are respected and well-known within their company or able to quickly network and develop positive relationships regardless of stature. Hence, an understanding of the business and an ability to communicate about security, risk and compliance issues can bring the CISO role in a new spotlight.

Leave a Response

Sohini Bagchi
Sohini Bagchi is Editor at CXOToday, a published author and a storyteller. She can be reached at