Video: Should the CISO report to the CIO, or CFO?

Who does the CISO in your organisation report into? Information security, like information technology, is now a vital business issue, and the CISO is worth fighting for.

Who does the CISO in your organisation report into? The CIO or the CFO?
It’s in issue that has become more and more important, as the weight of emphasis placed by the business on IT switches from the T, technology, to the I, information.

I was at a CISO summit last week, and someone raised an interesting point. The CIO and the
CISO want different things: the CIO wants faster and cheaper, the CISO wants secure and
good value. So the CISO should report to the CFO.

But I’m not so sure. One challenge that repeatedly emerged as a key topic at the summit was how to measure and report CISO performance within the enterprise. It was best summarised by Ivan Niccolai, lead analyst with InfoSec analysts, KuppingerCole.

He said:

This is the paradox of the competent CISO: how do they successfully communicate to board-level decision-makers the security incidents that were successfully contained on their watch?

How can security’s budget for defending an organisation’s information assets demonstrate
business value to a non-technical board?

Swap the emphasis from the I back to the T, and that sounds a lot like a challenge the
competent CIO will have solved.  Digital assets are growing exponentially, and the need to access them, any time from any place, across various devices and platforms, has become a critical success factor. Information security, like information technology, is now a vital business issue. The CISO is worth fighting for.

Browse

Article by channel:

Read more articles tagged: Featured, Leadership

People & Change