Cybersecurity Leadership

A wide variety of reporting structures can work if the CISO is understood to be semi-independent and governed by a group of trusted business, regional, and functional leaders. 

Reporting relationships are more than lines on an org chart, they're lines of authority. Ultimately, who the CISO reports to may say more about an organization's maturity than it does about an individual's effectiveness.

The CISO cannot be credible on all fronts. The role must evolve to address the transversal nature of security matters in large firms.

Corporate culture and the profile of the CISO are key, over and above any arbitrary organisational consideration It is astonishing to see the amount of interest still surrounding the reporting line o…

Corporate culture and the profile of the CISO are key, over and above any arbitrary organisational or separation of duties consideration

In several articles last year, we explored how to organise InfoSec for success and how to best establish the reporting line of the CISO.

The findings come from Splunk’s 2023 CISO Report, which was compiled from a survey of 350 CISOs and other security leaders in 10 countries, plus separate in-depth qualitative interviews with 20 CISOs.

Historically, the CISO reported to the CIO, but companies are increasingly considering a number of alternatives—from placing the CISO in the risk or enterprise data groups to having them report directly to the CEO or the board.

Why are so many organisations and security professionals still worried about the reporting line of the CISO? This is one of the oldest and most consistent debate agitating the security industry, and it looks far from resolved.

As companies respond to new cyber risks, a new leadership profile is emerging.

In several articles last year, we have explored how to organise InfoSec for success and how to best establish the reporting line of the CISO. Our view – built on years of direct field experience – is