Connect with us

Hi, what are you looking for?


Management & Strategy

Chief Information Security Officers Should be Reporting to Chief Risk Officers

Enterprise Board of Directors Room

Enterprise Board of Directors Room

In the “old days” the physical security team sat in a back room watching cameras on a bunch of CRT monitors and information security was part of the network administration group, tasked mostly with managing firewalls to keep the bad guys from breaking in through companies’ T1 lines.  Those were simpler times before technology touched every aspect of our personal and professional lives, before networked PCs, the internet and the Sarbanes Oxley Act. 

As time went on, more companies saw the need to appoint a manager to oversee the many moving parts of information security, leading to the creation of the Chief (Information) Security Officer (CISO/CSO) position. 

Today, there are few enterprises that do not have a CISO.  Even though they achieved a position of leadership, these technically rooted CISOs have largely struggled with managing highly complex enterprise environments that extend to the cloud and smart phones, threatened by an ever increasingly sophisticated adversary, who takes advantage of a daily pile of new vulnerabilities to exploit key assets and impact businesses’ reputations and bottom lines.  Add to the mix regulators mandating compliance with continuously evolving requirements, and you have the makings of a CISO identity crisis.

Historically, CISOs have reported to the Chief Information Officer due to their technology-focused role.  However, as the CISO position has evolved, more companies are moving towards shifting CISO reporting lines to the Chief Risk Officer (CRO).  The shift has not been without some controversy, with the main objection being that no matter how you spin it, technology is still at the heart of the job.  True as that may be, technology, just like people, electricity, and coffee, is at the heart of most jobs in today’s corporate world. 

To have a prayer at minimizing the impact of cyber events on their company, CISOs need to approach cyber security less from a technical standpoint and more from a risk standpoint, which is why reporting to a CRO makes sense.

Fundamentally, applying limited resources to protect assets of value from threats exploiting vulnerabilities is a risk management problem.  The measures taken to best protect those assets will largely (but not entirely) be technical in nature.  Just like we do not build office buildings without windows in case of a tornado, our information infrastructure is inherently exposed to the elements and there needs to be a better measured approach that enables business to be conducted without inherently endangering it.  That approach entails looking at cyber security from a risk management standpoint, meaning applying security resources based on the likelihood that threats and vulnerabilities align to have a significant impact on the business. CISOs quarterback that process and therefore benefit from being part of the risk organization. 

It’s also important to recognize that a company’s greatest asset, its people, are also its greatest vulnerability.  In other words, people create cyber risk.  No matter how tall companies build walls around their assets, as long as they have users who have legitimate access to sensitive corporate information, that information is exposed to compromised accounts, phishing, social engineering, etc.  Solving this human problem requires a respected professional sitting at the same table with the rest of the company’s leaders, to build a culture of risk management emphasizing the importance of protecting the company’s assets as their own.  As part of the risk organization, CISOs project greater authority to influence their peers across the organization of the importance of this non-technical problem to their bottom line.

Advertisement. Scroll to continue reading.

Cyber risk reduction starts at the top, meaning other C-level executives and the board must view it as a top business priority.  The industry is getting closer to achieving that goal.  Cyber risk is getting significantly more attention.  As a recent board survey reveals, 74 percent of board members say cyber risk information is reported to them weekly.  The next step is for CISOs to make that information meaningful and actionable, speaking the language of the board, the language of risk.  CISOs who purely talk tech are perceived as “techies” with limited understanding of the business.  In order to demonstrate they understand how cyber risk plays into their company’s operations and bottom line, CISOs must communicate risk in the same way other business leaders communicate about other operational risks. Reporting to the CRO will support and accelerate that shift.

Related Reading: CISOs Risk Getting Fired Over Poor Reporting

Related Forum: Request an Invite to SecurityWeek’s 2017 CISO Forum

Written By

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

SecurityWeek’s Threat Detection and Incident Response Summit brings together security practitioners from around the world to share war stories on breaches, APT attacks and threat intelligence.


Securityweek’s CISO Forum will address issues and challenges that are top of mind for today’s security leaders and what the future looks like as chief defenders of the enterprise.


Expert Insights

Related Content

Application Security

Cycode, a startup that provides solutions for protecting software source code, emerged from stealth mode on Tuesday with $4.6 million in seed funding.

CISO Strategy

SecurityWeek spoke with more than 300 cybersecurity experts to see what is bubbling beneath the surface, and examine how those evolving threats will present...

Management & Strategy

SecurityWeek examines how a layoff-induced influx of experienced professionals into the job seeker market is affecting or might affect, the skills gap and recruitment...

CISO Conversations

In this issue of CISO Conversations we talk to two CISOs about solving the CISO/CIO conflict by combining the roles under one person.

CISO Strategy

Security professionals understand the need for resilience in their company’s security posture, but often fail to build their own psychological resilience to stress.

Management & Strategy

Industry professionals comment on the recent disruption of the Hive ransomware operation and its hacking by law enforcement.

Management & Strategy

Tens of cybersecurity companies have announced cutting staff over the past year, in some cases significant portions of their global workforce.


Twenty-one cybersecurity-related M&A deals were announced in December 2022.