How many direct reports away from the CEO is the senior-most security executive?
Direct report10%
128%
231%
317%
49%
>52%
1045 PARTICIPANTS
Assistant Director IT Auditor in Education, 10,001+ employees
The senior-most security executive is the CISO. For most organizations, I recommend reporting directly to the CEO.Content you might like
Chief Data Officer in Travel and Hospitality, Self-employed
It is all too common that data scientists will focus more on the science than the business application. For example, building a Customer Segmentation model can be highly valuable. But, without a clear understanding of the ...read moreCTO in Software, 201 - 500 employees
Without a doubt - Technical Debt! It's a ball and chain that creates an ever increasing drag on any organization, stifles innovation, and prevents transformation.+15%8%
10-15%46%
5-9%19%
1-4%23%
What security budget?2%
662 PARTICIPANTS
Legal Operations Counsel & Innovation Strategist in Services (non-Government), 10,001+ employees
I have been following the development of corporate governance policies around the use of generative AI. This provides a good summary and some recommendations for boards: https://corpgov.law.harvard.edu/2023/06/21/genera...read moreReplacing incumbent technology/processes41%
Business justification / ROI / Payback period58%
Vendors don't meet business requirements16%
Too busy for evaluation16%
New vendor onboarding0%
Problem doesn't align with business imperatives0%
Other0%
5 PARTICIPANTS
This is a very good question, and Ali is right depend on the industry and if the company is publicly traded. My experience is the CISO should report administratively to the CIO, but have a direct report to the CEO. The reason is that the CEO needs to hear directly from the security guy, this prevent the CIO from sugarcoat the state of security in the organization.
Help me understand why a CISO should report administratively to the CIO.
If a CISO should have a direct report to the CEO, why shouldn’t the CIO report to the CISO and solve this multi-reporting structure?
The CIO is responsible for all information systems/IT (and is the head of IT) (including the strategic goals and vision of IT), the CISO is responsible for IT security (a check and balance control), however, to ensure the CEO is aware of the state of IT, he should hear directly for the CISO. Since the CIO is the overall head of IT, the CISO should administratively reports to the CIO to ensure the hierarchy of the organization reporting structure is maintained. Organizations can chose how they want to implement this reporting structure/process. But best practice is to ensure that the CEO is aware of the state of information security hear directly form the CISO. Hope this is not too confusing. I can write a paper on this based on my experience in IT security auditing.