The right reporting line is the one that works. Period.
Why are so many organisations and security professionals still worried about the reporting line of the CISO? This is one of the oldest and most consistent debate agitating the security industry, and it looks far from resolved.
It has been polluted for decades by arbitrary and simplistic views on “separation of duties” and alleged “conflicts of interest”. But those views often come from sectors of the corporate spectrum with a fairly theoretical idea on how an organisation should operate, and rarely reflect the reality of how large organisations function.
The truth is that people work with people and that strong organisations are bound by trust, not distrust.
So the reporting line of the CISO must be a means, not an end. A means to enable the security practice of an organisation to deliver on its objectives, whatever those might be.
And that of course implies first that the security practice needs to have clear objectives: A clear sense of purpose, a mission statement, an operating and governance model, a mid to long-term roadmap with clear milestones. It cannot be just a random list of projects driven by audit observations.
The reporting line of the CISO must be high enough in the organisation for the CISO to be visible, audible and credible across all corporate silos, across all business units, across all geographies and with key vendors.
The solidity of the relationship between the CISO and their boss is paramount. It is the true cornerstone of the construction and the real key to success. It must be unquestioned and unquestionable. They must speak with one voice, share the same vision of what security means and needs to achieve, and the same appreciation of the timeframes involved.
And finally, the reporting line of the CISO must allow the right degree of independence and freedom for the CISO to remain able to act in all situations and arbitrate freely on conflicts and priorities. But that last point is only a parameter in this equation and must not rule alone.
Frankly, if security is not top of the list with the CIO, in a context where cyber incidents are at the top of the news several times a year, and often several times a month, it is likely that the CIO is simply the “tip of the iceberg”, reflecting what the business units are pushing upon him, and if that is the case, wherever you place the reporting line of the CISO in the organisation, you might find similar problems.
The key is to elevate the debate away from simplistic views on “conflicts of interest” and root it in the reality of the firm and the objectives of the security function.
The reporting line of the CISO needs to be meaningful – not arbitrary –, positively determined and operated on a basis of trust between the CISO and their boss, unambiguous, stable over the mid to long-term and positioned at a level in the organisation where action can be taken, and resources prioritised. That means at Board level or Board minus one. NEVER below.
Those are the key factors: They will lead to different answers from one organisation to another, and that’s perfectly normal. The right reporting line for the CISO is simply the one that works at enabling the security practice to do its job in the best possible way.
Hello there! I could have sworn I’ve been to this site before but after reading through some of the post I realized it’s new to me. Anyways, I’m definitely delighted I found it and I’ll be book-marking and checking back often!
I am lucky that I detected this web site, just the right information that I was looking for! .
You should take part in a contest for among the best blogs on the web. I will advocate this website!
There is certainly a lot to know about this subject. I like all the points you ave made.
Here is my page; https://liveone9.com/
Would you be taken with exchanging hyperlinks?
I’m often to blogging and i really appreciate your content. The article has actually peaks my interest. I’m going to bookmark your site and hold checking for brand new information.
Really instructive and good structure of subject material, now that’s user friendly (:.
Greetings from Carolina! I’m bored to death at work so I decided to browse your site on my iphone during lunch break. I enjoy the information you present here and can’t wait to take a look when I get home. I’m amazed at how quick your blog loaded on my mobile .. I’m not even using WIFI, just 3G .. Anyhow, great site!
Thanks for any other wonderful article. Where else may just anybody get that kind of information in such an ideal method of writing? I’ve a presentation subsequent week, and I am at the search for such info.
Hello! I’ve been following your website for a while now and finally got the bravery to go ahead and give you a shout out from Huffman Texas! Just wanted to mention keep up the fantastic work!
Some truly quality articles on this internet site, bookmarked.
Absolutely composed subject matter, regards for selective information.
Everything is very open and very clear explanation of issues. was truly information. Your website is very useful. Thanks for sharing.
I do agree with all the ideas you’ve presented in your post. They are very convincing and will definitely work. Still, the posts are very short for beginners. Could you please extend them a little from next time? Thanks for the post.
Perfect piece of work you have done, this website is really cool with superb info .
I wanted to thank you for this great read!! I definitely enjoying every little bit of it I have you bookmarked to check out new stuff you post…
F*ckin’ remarkable things here. I am very glad to peer your post. Thank you a lot and i’m having a look forward to touch you. Will you please drop me a mail?
I went over this site and I think you have a lot of great info , bookmarked (:.