Home > Uncategorized > CISOs Will Increasingly Report to Top-Level Management

CISOs Will Increasingly Report to Top-Level Management

This blog entry explains the seventh of my ten predictions regarding events and trends that I have claimed will come to fruition in 2008. The seventh one is:

7. The trend of CISOs reporting to executive-level management will accelerate due to the increasing importance of information security within organizations.

Not so terribly long ago, the title “Chief Information Security Officer (CISO)” was virtually unheard of. Information security managers were generally buried somewhere at lower levels within organization charts, often two or more reporting levels removed from the Chief Information Officer (CIO). Things have changed drastically over the last six or seven years, however. There has been a growing recognition of the reliance organizations have on information and information processing assets and the critical need to protect both that has greatly expanded the perceived importance and reliance upon the information security function. News of often dramatic security-related breaches in which organizations have lost millions of dollars and have also sustained major public relations damage has made its way into the media such as the Wall Street Journal to which executive management pays attention. Additionally, the ever growing need for compliance due to the many regulations that now exist and that have at least some information security-related components in them has created the need to have input from and action by the information security function within organizations. These developments have all led to a marked trend for information security managers of organizations to both report directly to executive-level management and to be called CISOs.  A 2005 PricewaterhouseCooper’s report in fact indicated that 21 percent of CISOs surveyed reported directly to the CEO.

This trend has if anything only become more pronounced since this survey’s results were announced. The majority of my friends and colleagues who hold the top information security management positions within their organizations have the title of CISO and report directly to the CEO. Some still report to the CIO, something that I do not consider optimal because information security far transcends IT security, but if they do, at least they report directly to the CIO rather than to a CIO intermediary. With cybercrime and cyberespionage growing as they have been, with malware continuing to become increasingly complex, and with the complications that invariably accompany compliance, information security has become increasingly visible not only within “C-level” management, but also within boards of directors. It is thus not at all difficult to predict that CISOs will if anything increasingly report to top-level management.

Categories: Uncategorized Tags:
  1. No comments yet.
  1. No trackbacks yet.
You must be logged in to post a comment.