What is the reporting line for Information Security in your organization?

LeadershipArchitecture

Via the CIO/CTO57%

Via the CRO29%

Via the CFO7%

Our CISO reports directly to the CEO6%

882 PARTICIPANTS
7.7k viewscircle icon4 Comments
Sort by:
Strategic Banking IT advisor in Banking2 years ago

For years, Security has been part of IT.  But since 3 or 4 years, the team is not directly under the CEO.   Which makes sense since Security isn't only IT.   It includes physical security (offices, buildings, employees), risks, cybersecurity, data protection, etc.

Being under the CEO is also giving them a total independance over IT or LOB.

vp information technology in Consumer Goods3 years ago

CISO is a risk manager and as such should report to COO, GC, CFO or CEO. What say you all?

Director in Manufacturing4 years ago

Ours was directly to CEO for years until a major breach and the CEO realized he wanted an extra layer of insulation from CISO and any blame. Now CISO and CIO report to CFO with a dotted line to CTO in Engineering

Lightbulb on1
Director of Information Security in Energy and Utilities4 years ago

Would be interesting to see this trend over future years. Supposedly there's been a lot of talk over last few years that InfoSec should be reporting to someone other than CIO (to avoid conflict of interest issues) but reality is that that is still the most prevalent relationship and if it is changing then the pace of change is very slow. Curious if anyone has seen in their orgs this change?

Content you might like

Which tech conference do you intend to attend in person next year or have already participated in this year, and what motivated your choice?

Read More Comments

Where does your organization currently stand on Post-Quantum Cryptography (PQC) awareness and adoption?

Not aware - Haven’t looked into PQC yet

Early awareness - Learning about PQC, but no plans yet

Planning - Building a roadmap or strategy for PQC

Implementing - Running pilots, tests, or partial adoption

Mature - PQC integrated into security architecture

View Results

What do you consider a best practice for retaining/releasing unnecessary domain names? In this case, specialized domains tied to marketing campaigns. 

While the expense is small and there is some possibility for a bad actor to acquire and use for malicious activity, I question keeping domains of this sort "forever."

How do you handle this?

Read More Comments

Does your IT team or your HR team absorb the costs of HR technology?

Read More Comments

What are you currently doing to improve vulnerability patching?

Not making improvements currently3%

DevOps41%

Infrastructure-as-code39%

Automation55%

Asset inventory improvements28%

Coordinated test procedures27%

Test lab environment6%

Scanning improvements23%

New tools7%

Something else (I’ll explain in the comments)1%

View Results