How many direct reports away from the CEO is the senior-most security executive?

Direct report10%

128%

231%

317%

49%

>52%


1045 PARTICIPANTS

9.7k views3 Upvotes6 Comments

Group Chief Information Officer in Construction, 5,001 - 10,000 employees
The answer of this question is vary depending on our industry and maturity of the corporate
3 4 Replies
Assistant Director IT Auditor in Education, 10,001+ employees

This is a very good question, and Ali is right depend on the industry and if the company is publicly traded. My experience is the CISO should report administratively to the CIO, but have a direct report to the CEO. The reason  is that the CEO needs to hear directly from the security guy, this prevent the CIO from sugarcoat the state of security in the organization.

Senior Director, Defense Programs in Software, 5,001 - 10,000 employees

Help me understand why a CISO should report administratively to the CIO.

If a CISO should have a direct report to the CEO, why shouldn’t the CIO report to the CISO and solve this multi-reporting structure?

1
Assistant Director IT Auditor in Education, 10,001+ employees

The CIO is responsible for all information systems/IT (and is the head of IT) (including the strategic goals and vision of IT), the CISO is responsible for IT security (a check and balance control), however, to ensure the CEO is aware of the state of IT, he should hear directly for the CISO.  Since the CIO is the overall head of IT, the CISO should administratively reports to the CIO to ensure the hierarchy of the organization reporting structure is maintained.  Organizations can chose how they want to implement this reporting structure/process. But best practice is to ensure that the CEO is aware of the state of information security hear directly form the CISO.  Hope this is not too confusing. I can write a paper on this based on my experience in IT security auditing.

1
Assistant Director IT Auditor in Education, 10,001+ employees
The senior-most security executive is the CISO.  For most organizations, I recommend reporting directly to the CEO.
1

Content you might like

CTO in Software, 201 - 500 employees
Without a doubt - Technical Debt! It's a ball and chain that creates an ever increasing drag on any organization, stifles innovation, and prevents transformation.
Read More Comments
43.5k views132 Upvotes319 Comments

+15%8%

10-15%46%

5-9%19%

1-4%23%

What security budget?2%


662 PARTICIPANTS

2.3k views4 Upvotes

Replacing incumbent technology/processes41%

Business justification / ROI / Payback period58%

Vendors don't meet business requirements16%

Too busy for evaluation16%

New vendor onboarding0%

Problem doesn't align with business imperatives0%

Other0%


5 PARTICIPANTS

39 views