At what point does it make sense for the security lead to be directly reporting to the CEO and not a CIO/CTO?

39.3k views4 Upvotes20 Comments

Former Chief Technology and People Officer in Software, 1,001 - 5,000 employees
I'm always shocked at how much pent up energy there is around that particular topic. There are people that feel so strongly that a CSO should never work for the CIO. That CIOs don't understand security and they never give money to security. It gets to be quite an intense conversation.

In the last few companies I've worked for, there wasn't a whole lot of debate about how things should roll up. It's like, hey you got this? Make this happen! But I think the best approach is to always be looking at what is right for the company at that given time.

Security is important to me. But I understand it only works if IT ops and security ops are willing to work together. Its all about people. A lot of times, everyone wants to spend a lot of time defining roles and responsibilities. Roles and responsibilities are important to understand but it all comes down to people and people behaving in the right way and understanding that there's actually value in us all working together to solve this problem.

Chief Security Officer in Software, 10,001+ employees
Depends on the size of the company and what the company does. For a technology company that is security focused it may make sense. For a company where security is mission critical to the business it may make sense. It also depends on how the board and CEO prioritize their technology function. If technology (CIO/CTO) function isn't overly concerned about security, then it will make sense to pull security out from under those roles so security isn't getting filtered or de-prioritized.
VP of Global IT and Cybersecurity in Manufacturing, 501 - 1,000 employees
Its important to remember that not everyone with the security lead or CSO/CISO title has the same set of responsibilities.

CSO reporting directly to the CEO, allows the CSO to have a higher degree of influence in driving change. However, depending on the organization, the CSO may not have as much time with the CEO due to their range of responsibilities.

Ive seen the most success when the CSO is working directly with the CEO, it helps remove friction, barriers and align with the strategy of the business.
CIO in Software, 1,001 - 5,000 employees
I think the only time it’s important for a direct reporting relationship to CEO is when it’s a security products company. This is not from an internal implementation perspective but more from a. Strategic perspective. Thought leadership, product insights, drinking your own champagne all areas that become important at the exec team level. All other times there is a lot of synergy and productivity to be had if you combine the security and IT orgs.
CISO in Software, 201 - 500 employees
I think CSO must not report to CIO/CTO, cause there is conflict of interests, it will not be effective on any ways on any organization, CSO must look and think about risks, especially in IT. CSO/CISO must report to CEO, that's the best practice!
1 1 Reply
CIO and Startup Advisor in Software, 10,001+ employees

You bring up an interesting point about risk. Not all IT risk is related to security. Where do you feel IT Governance, Risk and Compliance needs to sit? I have seen this under security, i have seen it inside IT and I have seen it completely outside under an Enterprise Risk Management function. What works best in your opinion, and why?

Former Chief Technology and People Officer in Software, 1,001 - 5,000 employees
Don’t agree that it is a conflict of interest. I do believe that type and size of company plays an important and do not believe there is only one model.
Managing Director in Software, 1,001 - 5,000 employees
If there is a separate budget/P&L and/or separate staff associated with the Office of Information Security from the CIO/CTO budget/organization, then I believe the CISO reporting should be directly to the CEO. As co-members of the C-Suite, you should be effectively compensated to always work collaboratively in the best interest of the company. Effective measures for Information Security expand beyond just IT, including physical/building security. Therefore, this will allow IT to focus on its core capabilities and help it to be more strategic in response to disruption or transformational requirements.
Deputy CIO in Government, 5,001 - 10,000 employees
The answer is simple, the CEO needs a single throat to choke. If CISO's role is to be elevated then security should be an organization on its own, till that happens there are too many overlapping responsibilities.
1 1 Reply
CIO and Startup Advisor in Software, 10,001+ employees

I feel that security is everyone’s responsibility and it is unfair to say that the CISO is the single throat to choke. Ultimately, if the CISO is not able to articulate the threats and risks, and not able to get everyone to get to a level of shared understanding and shared accountability, then yes, that is a bad CISO. How does one make security an organization on its own yet still make it such that it’s everyone’s responsibility? Any thoughts there?

Country CIO in Finance (non-banking), 10,001+ employees
A number of models could be adopted, each with their own pros and cons. Segregation between IT operations and IT security is the mainstream model that works well in companies of a certain size and nature. The latter sets policy and control on the other, but requires close collaboration. It gives the CEO full control of both areas and elevates the importance of IT security within the organization.
Director Strategy, Planning & Innovation in Software, 10,001+ employees
At Cisco we have the Security Office reporting to our COO. In addition the CSO sits on the Exec Leadership Team and participates in their regular meetings. It all depends on your size and focus, but from a company perspective it should be one of the top priorities.

Content you might like

CTO in Software, 201 - 500 employees
Without a doubt - Technical Debt! It's a ball and chain that creates an ever increasing drag on any organization, stifles innovation, and prevents transformation.
Read More Comments
46.5k views133 Upvotes324 Comments

Team lead19%

Project lead58%

Domain lead8%




Community User in Software, 11 - 50 employees

organized a virtual escape room via - even though his team lost it was a fun subtitue for just a "virtual happy hour"
Read More Comments
13.4k views27 Upvotes67 Comments