As I travel the U.S. and the world, I am frequently asked what the proper reporting structure is for the Chief Information Security Officer (CISO). While it sounds cliché, the real answer is “it depends.” First, it is critical to understand the security goals for the organization and leadership’s perspective on security. Other factors such as company maturity, size, industry and the role you want the CISO to play should be considered. Only then can you determine if the CISO should report to the CEO, the CIO, the CRO, the CFO or some alternative reporting structure.
Position the CISO for Success, CISO, cybersecurity, security