- Security teams report directly to the CISO in half (48%) of organizations, whereas 25% report to the CIO, followed by 12% that report to the CEO, according to the ISACA survey, State of Cybersecurity 2021 Part 2, in partnership with HCL Technologies. The survey was sent to more than 3,600 cybersecurity professionals holding an ISACA Certified Information Security Manager certification.
- Of the organizations that have their security teams reporting to their CIO, it is possible the CISO also reports to the CIO, the report notes. ISACA found regardless of who a security team reports to — CISO or CIO — there is an insignificant difference on how a company views cyberattacks or confidence in detection abilities.
- The differences lie in how other executives view cyberrisk assessments and the board's prioritization of cybersecurity. The majority of organizations (76%) perform risk assessments to ensure their regulatory compliance, followed by data loss prevention (54%) and improved communication of security policies and procedures (51%).
Though titles differ among the C-suite, shared business goals remain a constant. IT and cybersecurity have broken through the backroom function and into the thick of business continuity because when security is disrupted, so is the business.
The board closely watches the CIO and CISO's shared responsibility in business outcomes. However, the survey indicated that security teams reporting directly to the CISO, as opposed to the CIO, might have some business-oriented benefits, according to Rob Clyde, board chair at ISACA, advisor for ShardSecure, and executive chair of White Cloud Security. Sixty-one percent of the CIOs surveyed believe their board of directors prioritizes cybersecurity, whereas only 47% of CISOs say the same.
When the CISO is at the top of the security reporting structure, companies likely have a greater executive buy-in for risk assessments and cybersecurity-business goals alignment. "However, the ideal reporting structure will really depend on the organization," Clyde said.
"CISOs need to be able to clearly articulate how cybersecurity strategy is connected to IT and business strategy, and CIOs need to be able to do the same with how they link IT to cybersecurity and business goals," said Clyde.
Pulling in top leadership can also signal public prioritization of cybersecurity. SolarWinds CEO Sudhakar Ramakrishna testified before Congress in March, and in June, Colonial Pipeline CEO Joseph Blunt did the same following the companies' respective hacks. It brought the top leadership of the company, not just the top security executive, to the forefront of owning cybersecurity mishaps.
Over the years, the CISO title has become more prevalent in response to high-profile cyber incidents. A 2020 study by Cybersecurity Ventures predicted 100% of Fortune 500 companies would have a CISO-equivalent role by 2021, however the report expected many of the roles to be left unfulfilled because of insufficient qualified candidates.
However, despite the CISO role meaning different things for different companies, responsibilities tend to bleed into governance, privacy, risk, emerging technologies, disaster recovery and innovation, according to Clyde and the ISACA report.
"In a very large organization, the CISO organization is likely to have many different heads of different areas of security reporting to the CISO," Clyde said. "In most cases, it doesn't make sense to have multiple heads of security with different specialties reporting directly [to] the CEO or CIO."