Home

Should the CISO sit within the IT department or span multiple departments? Why or why not?

Depends on the business, its culture, its maturity, its empowerment of the CISO to do their job unfettered by fear/constraints. I've seen the CISO sit in both places and be successes and failures in both. 

163 views
2 comments
0 upvotes
Related Tags
Anonymous Author
Depends on the business, its culture, its maturity, its empowerment of the CISO to do their job unfettered by fear/constraints. I've seen the CISO sit in both places and be successes and failures in both. 
2 upvotes
Anonymous Author
This has been a perpetual discussion ever since security teams got enough attention from businesses. InfoSec teams, like quality management or Audit functions, largely have "checker" responsibilities and aligning them to functions that perform "maker" roles (like IT, Operations, Professional Services, Engineering etc.) definitely creates an opportunity for conflict of interest with the vertical under which they lie. Under the assumption that Information Security Risks have a significant impact on the business environment, the executive management or board will be able to derive maximum value from CISO's office if there is a direct channel to the board or the CEO. While I agree that the administrative reporting could be managed by another role (CIO, CTO etc.) IMHO, functionally, the CISO office should be reporting directly to the CEO or the Board. Especially because there is more to infosec than just IT. InfoSec pans across almost verticals in the organization, and if the leadership is interested in an authentic unbiased security review, having the CISO report into IT could defeat the purpose. 
0 upvotes