The right reporting line is the one that works. Period.
Why are so many organisations and security professionals still worried about the reporting line of the CISO? This is one of the oldest and most consistent debate agitating the security industry, and it looks far from resolved.
It has been polluted for decades by arbitrary and simplistic views on “separation of duties” and alleged “conflicts of interest”. But those views often come from sectors of the corporate spectrum with a fairly theoretical idea on how an organisation should operate, and rarely reflect the reality of how large organisations function.
The truth is that people work with people and that strong organisations are bound by trust, not distrust.
So the reporting line of the CISO must be a means, not an end. A means to enable the security practice of an organisation to deliver on its objectives, whatever those might be.
And that of course implies first that the security practice needs to have clear objectives: A clear sense of purpose, a mission statement, an operating and governance model, a mid to long-term roadmap with clear milestones. It cannot be just a random list of projects driven by audit observations.
The reporting line of the CISO must be high enough in the organisation for the CISO to be visible, audible and credible across all corporate silos, across all business units, across all geographies and with key vendors.
The solidity of the relationship between the CISO and their boss is paramount. It is the true cornerstone of the construction and the real key to success. It must be unquestioned and unquestionable. They must speak with one voice, share the same vision of what security means and needs to achieve, and the same appreciation of the timeframes involved.
And finally, the reporting line of the CISO must allow the right degree of independence and freedom for the CISO to remain able to act in all situations and arbitrate freely on conflicts and priorities. But that last point is only a parameter in this equation and must not rule alone.
Frankly, if security is not top of the list with the CIO, in a context where cyber incidents are at the top of the news several times a year, and often several times a month, it is likely that the CIO is simply the “tip of the iceberg”, reflecting what the business units are pushing upon him, and if that is the case, wherever you place the reporting line of the CISO in the organisation, you might find similar problems.
The key is to elevate the debate away from simplistic views on “conflicts of interest” and root it in the reality of the firm and the objectives of the security function.
The reporting line of the CISO needs to be meaningful – not arbitrary –, positively determined and operated on a basis of trust between the CISO and their boss, unambiguous, stable over the mid to long-term and positioned at a level in the organisation where action can be taken, and resources prioritised. That means at Board level or Board minus one. NEVER below.
Those are the key factors: They will lead to different answers from one organisation to another, and that’s perfectly normal. The right reporting line for the CISO is simply the one that works at enabling the security practice to do its job in the best possible way.