Image

Who should the CISO report to in order to be successful?
My default answer to this question is that the CISO should report to the CEO or equivalent. I say this because I firmly believe that information security needs an equivalent seat at the executive table. One of the reasons I like this question, though, is that it doesn’t just ask who the CISO should report to but adds the element of ‘to be successful.’ That phrasing forces me to consider whether this is the only reporting structure in which a CISO can succeed. In other words, if you’re a CISO and you don’t report to the CEO, are you destined for failure? Not really. In other words, the reporting structure doesn’t determine a CISO's success. What does the data say these reporting structures look like today. IDG’s “2018 Global State of Information Security Survey” asked this question and found that 40% of CISOs or equivalent reported to the CEO, 27% directly to the board of directors and 24% to a CIO. The evolution of the CISO from an IT function to board-level visibility has been driven by changes in the impact of cybersecurity incidents. The resignation of Target’s CEO in the wake of a significant breach was a watershed moment for the industry because it forced executives and boards to consider how an incident might impact them personally. This is, however, elevation for the wrong reasons. You don’t want to report directly to the CEO just so you can be fired instead of them. The key component in the reporting structure that determines a CISO’s success is the ability to positively impact the business. Both Thom and I talked about the CISO’s changing role, and this was key. It’s not always easy to determine from the outside if a CISO position will have the access and influence to make meaningful contributions to the business. Reporting structure is one of the clearest indicators, however. If the reporting structure doesn’t seem right, then you have to dig deeper into the position. https://www.youtube.com/watch?v=LcsOOiJEzDAThe CISO’s Threat Landscape is Changing Constantly
Alright, that’s not a question. It was actually a comment in response to the comparison of the CISO and the CFO roles; it was specifically saying that the CFO’s accounting/financial landscape doesn’t change the way that a CISO’s threat landscape does. And it’s true that the threat landscape changes, but it changes less than we might think. There’s a whole industry focused on generating income from the newest, shiniest, most threatening threats possible. If you spend some time comparing what’s publicized in the media vs. what organizations are actually dealing with, you’ll find a Venn diagram that doesn’t perfectly overlap. In other words, there are some meaningful changes in the threat landscape that have occurred but probably not as many as you would think by just reading headlines. One way to see how the threat landscape has evolved is to compare data from the Verizon Data Breach Investigations Report (DBIR). In this case, I took a look at the 2019 report and the 2009 report because 10 years is a nice round number. Let’s look at the attackers (“who is behind data breaches”):Image

Image

Image

Image
