In an article published in Security Roundtable on Tuesday, May 29, partner David Katz, who leads the Privacy and Information Security practice group, provides insight on the most common reporting structures for CISO / CSOs. Specifically, he shares pros and cons of CISOs reporting to the chief information officer (CIO), the chief data officer (CDO), and the chief executive officer (CEO). Generally, CISOs have reported to the CIO since the creation of cybersecurity, however, much of a CISO’s role exists outside of IT and may be more applicable reporting to other positions. Katz comments, “There can also be a conflict of interest when the CIO must weight security against other priorities such as networking, application development, infrastructure support, and outsourcing.”
Additionally, CISOs reporting to the CDO have the potential to clash. The two view their roles differently – one an offensive position and the other a defensive position. Katz details, “This sets an inherent conflict, and the end result is to place the CISO in a position of being perceived as potentially hostile to the business objectives.”
Reporting to the CEO as a CISO is considered the exception, despite previous predications that this would be the norm. According to Katz, the CISO role maintains independence when it reports to the CEO and “enables frank and candid discussion with respect to risk, resources, prioritizations, and conflicts that may arise among the larger group of stakeholders within the entity.”
These materials have been prepared for informational purposes only and are not legal advice. This information is not intended to create, and receipt of it does not constitute, an attorney-client relationship. Internet subscribers and online readers should not act upon this information without seeking professional counsel.