Why the CISO Needs to Report to the CEO and Share Insights with the BoD
In a business landscape saturated with cyber bad actors, a Chief Information Security Officer (CISO) is critical for success. So why isn’t every CISO reporting to the CEO? And why do CISOs not always get to talk to the Board of Directors (BoD)?
The answers are simple.
Too many organizations base their CISO reporting structure on outdated ideas about cybersecurity. As a result, they have a greater risk of suffering a cyber attack.
But there’s good news — this is an easy problem to fix! Let’s talk about why.
CISO reporting to CEO: A new structure for today’s reality
By 2025, cybercrime is expected to cost companies $10.5 trillion globally. That’s a ton of lost money. How could it be?
There are two main reasons:
Cyber bad actors are expert professionals.
Most businesses don’t take cybersecurity seriously enough.
Let’s quickly unpack that.
As a business professional, you can’t control what cyber bad actors do. They will keep innovating to steal your money, data, and intellectual property (or, worse, your customers’ money, data, and intellectual property). What you can do is stay ahead of them and stop them. You need to approach cybersecurity on two fronts: technical and conceptual.
Technical
You want state-of-the-art software protection and best-in-class cybersecurity expertise; however, you might not always be able to pay for it. But what you can always do is make sure you have solid technical cybersecurity practices in place. Do you deploy zero trust? How’s your attack surface management? How many levels of security do you have in place? These are critical cyber principles in the modern world.
Conceptual
You want to think about who manages your security team. To whom do they report? Who represents their needs at the organizational level? In today’s world, where cybersecurity is a primary business area, not a secondary add-on, your CISO should report to your CEO and share insights with your BoD.
What does a CISO do?
A CISO leads cybersecurity efforts. They identify weaknesses and vulnerabilities, develop a strategic cyber plan, and form a security team to implement and execute it.
In other words, the CISO is responsible for an organization’s cybersecurity efforts. Whether introducing new technologies, overseeing audits and risk assessments, or driving training and education, they’re paving the way through the threat landscape.
A CISO needs to be comfortable discussing data recovery tools and understanding supply chain forecasting for cyber risk. They need to know the main elements of GRC and be capable of building and motivating an empowered team. And have the added responsibility to be able to both simplify and contextualize the details of technical cybersecurity issues so their fellow C-suite members can understand and make informed decisions. CISOs are often seen as technical experts, but that would be shortsighted. We recommend taking a different approach. That article can be found here.
CISO as a strategic leader
CISOs sometimes ping-pong around the org chart in an ineffective, inefficient, and potentially costly manner. If the company considers cyber in terms of technology, it may relegate the CISO to IT. Separated from the C-suite, the CISO may find it challenging to get their budgets and personnel appointments approved. Suppose the company experiences an uptick in cyber threats but doesn’t suffer a potent attack (at the moment…). In that case, they may boost the CISO up the chart, having them report to a VP of Risk, Chief Financial Officer (CFO), or worse…Chief Legal Officer (CLO) or equivalent. This detaches the CISO from cyber operations while keeping them disconnected from the critical organizational decision-maker: the CEO.
For today’s organizations, we recommend that the Board of Directors oversee the CEO and the CEO oversee the CISO (and other C-suite executives). This creates a clear hierarchy and reporting structure.
Within this framework, the CISO becomes a strategic leader. With high visibility into the business, they can coordinate with the CFO, CLO, and other executives, aligning with their goals and avoiding disconnects.
For a modern organization, this represents the evolution of cybersecurity as a critical business area. Cyber threats have been destroying businesses for years, but only recently have some organizations outgrown the old CISO models.
3 benefits of having the CISO report to the CEO
When CEOs and CISOs have a direct reporting relationship, their streamlined communication can significantly improve your cybersecurity defense by helping to ensure three main things:
Critical cyber info never gets lost
In larger companies, critical cybersecurity information must be shared between the executives responsible for it, not filtered by another executive (or two or three) with different priorities. The CISO needs to be able to directly alert the CEO to the latest cyber threats and thoroughly discuss their defensive strategy and tactics.
If those conversations happen secondhand via the CFO or CLO, essential details will likely get lost, which can increase cyber risks as indirect communication continues. It may also just compel the CEO to speak to the CISO anyway, in which case… why not save time by doing it from the beginning?
Bottom line: In an increasingly complex cyber landscape, cybersecurity intel must be passed up the chain of command clearly, not turned into a game of telephone.
You balance business and security risks
Let’s say the CEO wants a new business partner. An analysis showed that the partnership could triple the company’s annual recurring revenue within three years. The only thing is, the potential partner is a global organization with thousands of suppliers, and they’re not exactly forthcoming on how they manage those security risks.
Does it make fiduciary sense to do the deal? To answer that question and make an informed business decision, the company needs input from a high-level cyber expert, ideally one who also works for the business … in other words, the CISO. In the example, the CISO would quantify the proposed partnership's costs (emphasizing cyber-centric expenses that may result from the partnership if it were to go awry, like GRC and reputational costs). After this, the CEO can adequately evaluate this decision from both the business and critical security angles, which can save time, money, and headaches.
Bottom line: CEOs need to know all cyber risks to make informed business decisions fully, which can only happen when the CISO is their direct report.
You stay ahead of your most significant adversary
Bad actors take on many forms. Some are criminals, others are nation-state actors (those funded by a government), while others are a bit of column A… and a bit of column B. Either way, they’ll be a constant threat, trying to steal your money and data day and night. More than a tough competitor, an aggressive regulator, or a rogue partner, a bad actor will always be your most significant human-centric adversary. Keep in mind they are playing the game without care for rules of engagement, zero legal limitations, and (most of the time) they have zero fear of reprisal. Laws or business norms don’t hinder their actions. Why?
Cybercrime is a form of theft that has been with us since the dawn of time. You need to respect it for better or worse (OK, definitely for the worse). Bad actors scour the landscape looking for opportunities; in an organization where cybersecurity is just another functional unit and the CEO never talks to the CISO, it’s an easy mark. Luckily, you can address this issue by crafting a clear link between the CEO and CISO; when a bad actor makes a move, the company will be well-positioned to meet the threat head-on.
Bottom line: Anything less than the CISO reporting to the CEO increases the chance your organization won’t be able to quickly and effectively mitigate threats posed by bad actors.
Be bold
Let’s wrap up by sticking to the evolution theme. If a CISO feels new, it’s because it is. The first one didn’t appear until 1994, when Citi created a special cybersecurity office in response to a foreign hack.
There’s a CISO (or equivalent) at almost every Fortune 500 company in all 50 states. CISOs are so important they’re the target of fake profile scams. Gartner says that 88% of board directors recognize cybersecurity as a business risk and that CISOs should be more integrated across the company.
All signs point to the CISO taking a proper C-suite-level position. If you’re not already keeping up with this reality, what are you waiting for?! The next big data breach to cripple your company?
Today’s businesses have no business not being at the cutting edge of tech, especially regarding cybersecurity. So be bold! Upleveling and empowering the CISO ensures your company stays ahead of the cyber bad actors. This is one area it doesn't pay to be a late adopter.
Do you want to use our content for your site or training material, or would you like us to write curated white-label content for you? We can help you! Let’s talk.
A martini. Shaken, not stirred…can be yours if you share this article. What say you? 🙂
Are you looking to go to a persona page?
Cyber 101 | The Solopreneur | SMB | BoD