Security teams would benefit if they directly report to CISO instead of CIO, says report

Security teams directly report to the CISO in half of those surveyed organizations, but only 25% of them report to the CIO.

According to an ISACA survey, security teams report directly to the CISO in half (48%) of organizations, whereas 25% report to the CIO, followed by 12% that report to the CEO. However, the survey indicated that security teams reporting directly to the CISO might have some business-oriented benefits instead of the CIO. Samantha Schwartz has written on CIODive about the benefits of reporting directly to CISO.

Here is what she has written:

  • Once a CISO is at the top of the security reporting structure, they'll have more executive buy-in for risk assessments and cybersecurity-business goals alignment. 

  • CISOs need to articulate the connection between cybersecurity strategy and business strategy, and CIOs need to be able to do the same with cybersecurity and business goals.

  • Over the years, the CISO title has become more prevalent in response to high-profile cyber incidents.

  • Cybersecurity Ventures predicted that by 2021, 100% of Fortune 500 companies would have a CISO-equivalent role. However, the report also believes many of the roles will go unfilled due to finding qualified candidates.

  • However, despite the CISO role meaning different things for different companies, responsibilities are not confined to these categories. They also cover governance, privacy, risk, emerging technologies, and disaster recovery.

What We Think?

Security works best when the top brass inculcates a collaborative atmosphere. Although the CISO is likely to be involved with security more, there shouldn't be a disconnect between them and the CIOs.

You can read the full article here.