You are here

Cybersecurity & CISO Authority: The Risks of Reporting to a CIO

A recent study by the Deloitte Center for Financial Services provided an updated report on how the COVID-19 pandemic is reshaping the global cybersecurity landscape. Surveying financial institutions across the nation, this study found that:

  • There was increased spending on cybersecurity initiatives, with a heavy focus on identity and access management, cyber monitoring and operations, and endpoint and network security
  • Radical IT changes and increased cyber complexities were identified as the number one cybersecurity challenge among respondents
  • Emerging technologies (such as data analytics, cloud, and robotics process automation) were cited as top cybersecurity investment priorities among financial institutions
  • As the world moves towards increased digitization and remote work, traditional network boundaries are becoming obscured, and “Zero Trust” has become a concept enforcing “least privilege” for modern enterprises contending with new domains

One of the most interesting findings exposed in this document was the increased percentage of Chief Information Security Officers (CISOs) reporting to Chief Information Officers (CIOs) or Chief Technology Officers (CTOs). The article covered where to effectively place the responsibilities of the CISO, and found that more organizations are having CISOs report to CIOs to further integrate cybersecurity with IT to align their overall strategy.

Although the amount of CISOs reporting to CIOs has increased according to this study, there are major concerns surrounding this reporting structure, leading to the conclusion that CISOs shouldn’t report to the CIO to avoid conflicts of interest and possible cybersecurity risks.

The Importance of CISO Independence

This year, Deloitte found that 62% of the CISOs surveyed reported to either the CIO or the CTO at their financial institution—which is a significant increase from the 38% reported in 2019, and the 20% reported in 2018. This practice may indicate that a close alignment between the cybersecurity and IT functions is beneficial for institutions and can aid in their cyber risk mitigation strategies.

However, in PwC’s 2018 Global State of Information Security report which surveyed 9,500 executives across 122 countries, 40% of CISOs reported to a CEO, which mitigates the possible conflicts of interest and security risks that could happen if reporting to the CIO. This compares to the 24% who reported to the CIO, and 27% who reported directly to the board.

Deloitte’s findings are contrary to PwC’s, but both highlight the industry-wide debate over the correct reporting hierarchy of the CISO.

The CISO role has rapidly evolved, and management across industries has recognized its importance to business sustainability. Since the CISO’s role is to ensure security compliance, they must be able to function independently to create fair and objective risk assessments and recommendations. If a CISO reports directly to a CIO, pressure could be placed on the CISO to lessen security to fit the needs of the technology processes.

The level of authority and reporting structure surrounding the CISO also affects an organization’s ability to prepare for, and react to, cyberattacks. This year, ISACA’s 2020 State of Cybersecurity Report found that 40% of respondents whose cybersecurity function reports to a CISO are either completely or very confident in their organization’s ability to detect and respond to threats—while only 31% whose cybersecurity function reports to a CIO reflect the same level of confidence. This analysis reaffirms the benefits of a slight segregation of the duties between a CISO and a CIO for adequate cyber protection.

Conclusion

There’s some logic to both thought processes, and deciding where to place the function is largely a factor of the size and complexity of the organization. An effective reporting structure is critical to give the CISO the support needed to efficiently perform their responsibilities. However, it’s more important that this reporting structure is appropriately defined and understood by the organization, and that the authority for the role aligns with accountability, compliance, and cybersecurity best practices.