Sometimes your best intentions are thwarted by technology. That was the case when Thom Langford and I attempted to do a Q&A session after our webinar “Modern Skills for Modern CISOs.”

Unfortunately, the session ended before we got the chance to answer the questions that the audience had submitted. The silver lining is that we had the chance to write our answers thoughtfully instead of answering them on the spot.

In doing so, I found there were a couple of questions for which I wanted to provide longer answers. For context, you can see the whole webcast here:

Who should the CISO report to in order to be successful?

My default answer to this question is that the CISO should report to the CEO or equivalent. I say this because I firmly believe that information security needs an equivalent seat at the executive table. One of the reasons I like this question, though, is that it doesn’t just ask who the CISO should report to but adds the element of ‘to be successful.’ That phrasing forces me to consider whether this is the only reporting structure in which a CISO can succeed. In other words, if you’re a CISO and you don’t report to the CEO, are you destined for failure? Not really.

In other words, the reporting structure doesn’t determine a CISO’s success.

What does the data say these reporting structures look like today. IDG’s “2018 Global State of Information Security Survey” asked this question and found that 40% of CISOs or equivalent reported to the CEO, 27% directly to the board of directors and 24% to a CIO. The evolution of the CISO from an IT function to board-level visibility has been driven by changes in the impact of cybersecurity incidents. The resignation of (Read more...)