I suggest that different organizations require different types of CISOs based on these considerations. Of course, circumstances change over time and may require a change in the CISO's reporting structure.
Three Types of CISO
There are three major types of CISOs. Most versions of the role will be a mix of more than one type, but these descriptions provide some insights into where the CISO should report.
1. The Technical Information Security Officer (TISO)
The TISO specializes in technical security issues, operations and monitoring, which includes managing firewalls, handling intrusion-detection and intrusion-prevention systems, and so on. The TISO also coordinates and manages technical policies and control and assessment activities. This person should report to the CIO, CTO or IT management.
2. The Business Information Security Officer (BISO)
The BISO specializes in information security issues related to the business, such as how to securely implement customer-facing technologies and how to appropriately protect customer information. A major purpose of the BISO is to ensure that the business unit or division understands that information security is a business requirement like any other. This person also assists in the implementation and translation of enterprise security requirements, policies and procedures.
Additionally, the BISO should perform business security assessments or, at a minimum, coordinate between identified business-related security issues. Ideally, there should be a BISO embedded in every major business unit or division, and he or she should report to business management.
3. The Strategic Information Security Officer (SISO)
The SISO specializes in translating high-level business requirements into enterprise security initiatives and programs that must be implemented to achieve the organization's mission, goals and objectives. The SISO must coordinate with the operations officer and the BISO to ensure appropriate progress. The SISO should also be responsible for metrics, dashboards and executive reports, and for presenting assessments of the state of security in the enterprise to the board of directors. The SISO should report to an executive management function such as the chief risk officer, chief operating officer or chief legal counsel, or to an executive management committee.
When considering who the SISO will report to, think about whether superior executives will be able to appropriately support the SISO. For example, would the CEO be able to spend as much time with the SISO as is needed? The SISO should be also able to represent the corporation externally, that is, with third parties or in cyber insurance discussions.
You may infer that you need more than one type of CISO for your organization--and you may be right. In fact, for some organizations, one CISO is not enough. Seven percent of organizations responding to the PricewaterhouseCoopers's 2011 global information security survey reported having more than one CISO. So, to whom should the CISO report? The short answer is: to the most effective manager, depending on the type of CISO.
Sign up for CIO Asia eNewsletters.