Two key drivers are requiring information security organizations to adapt to a new business context: a substantial increase in the variety of activities that chief information security officers (CISOs) are responsible for and a devolvement of a core security activity -- operational IT security. The shift in CISO responsibilities means a recalibration of the role and its reporting structure.
Over the last decade, CISOs have not only seen their budgets and staffing increase, but also their responsibility. Where they once were responsible solely for IT security, CISOs now often manage related activities such as information risk management, IT compliance and incident response. Some are even taking on responsibility for activities involving privacy, disaster recovery and IT risk management. At the same time, as the business and third parties manage more technology themselves, the CISO's traditional operational responsibility for IT security has transferred to the IT function.
Given that, CISOs' reporting structure is also changing. In 2012, CEB data indicated nearly 90% of CISOs reported inside IT. Today, many of the new CISO responsibilities fit better in places such as legal or enterprise risk management (ERM). These changes have led to a near doubling of the share of CISOs reporting outside IT compared to three years ago, according to our data.
The significant expansion in the scope of CISO responsibilities requires business leaders to be more deliberate in structuring accountability for activities in the information security, privacy, and risk ecosystem. As CISOs become responsible for more activities and become less directly connected to IT, two questions arise: Which activities should be grouped and managed by a single executive and where should each of these executives report?
We analyzed common activities in the information security, privacy, and risk ecosystem and predict that they will soon be housed under different functions.
IT Security Operations
Activities related to IT security operations (e.g., monitoring, identity management, operational roles) will go into the IT Infrastructure function. This group will then have a pure "first line of defense" role with operational responsibility, but will not be responsible for governance, as this will remain with information security. This should please regulators in the United States and Europe, as they have been pushing to separate the first and second lines of defense that are common to information security groups to reduce gaps in risk coverage and clarify roles and responsibilities in providing risk oversight.
IT Risk Management
A second set of activities is related to risk management, including IT risk management, business continuity planning, disaster recovery and perhaps third-party information risk management. Most companies do not have a formal IT risk management, but those who do house it within the office of the CIO. These responsibilities may also be rolled up into enterprise risk management (ERM) if the team can support it, but most ERM teams are very small and not set to operationally manage risk. Instead, they design and facilitate risk management processes.
Privacy and Information Governance
Today, privacy leaders are equally likely to report into the compliance or legal departments, but most companies don't have anyone formally responsible for aspects of information governance beyond privacy. As companies look to better exploit their information's value, viewing information use as more of a business opportunity than a compliance concern, legal will be a more logical home for a consolidated privacy and information governance function. Privacy will join other activities that legal is concerned with, such as e-discovery and records management.
Alternatively, some companies are exploring creating a chief digital officer or chief data officer who is responsible for maximizing information's business value. In this scenario, privacy, information governance, and the operational role of information management would fall to this new role.
Notably absent from this discussion is where information risk management fits in. When information risk management is considered a component or owner of IT risk management, it makes the most sense for it to remain with the CIO in IT, not among the new CISO responsibilities. When information risk management is considered the risk management element of information governance, it would land in legal or within the responsibilities of a chief data officer.
As more of these activities receive formal management and additional resources, leaders need a guide to inform restructuring decisions. But no matter how they are arranged, organizational structures exist for pragmatic and theoretical reasons. Ultimately, CISOs find that the most important attribute of their reporting line is how well they work with their manager, not what role that person holds.
Recent advice from CEB:
Five mistakes not to make when reporting to the board
Digital readiness and the CIO
Enterprise digitization: Six elements