In breach event, to whom should CISOs report?

The leadership reporting structure following a data breach is still debated, with the reporting duties of the chief information security officer highly scrutinized. Some experts recommend CISOs report directly to CIOs and others recommend they report directly to CEOs, according to a Wall Street Journal report.

Those who believe the CISO should report directly to the CIO argue the importance of those two roles having a close relationship. Suren Gupta, CIO of Allstate, said in the report he asks his CISO to be involved in board meetings when discussing the cyber threat landscape.

Additionally, cybersecurity consultant Craig Shumard said in the report CISOs should report to CIOs because the vast majority of their responsibilities include technology, and the two together "form a more credible one-two punch of IT expertise," according to the report.

On the other hand, experts who recommend the CISO report directly to the CEO say doing so can help avoid conflicts of interest that could impact cybersecurity and offer the clearest view of the cybersecurity landscape, according to the report.

"The security function needs to be elevated to CEO level to give the organization the check and balance, and integrity it needs, said Avivah Litan, a cybersecurity analyst with Gartner, in the report.

More articles on IT leadership:

100 hospital and health system CIOs to know | 2015
5 CIOs weigh in on interoperability, meaningful use and breach prevention
CFO vs. CIO: Bridging the gap in perspective

© Copyright ASC COMMUNICATIONS 2020. Interested in LINKING to or REPRINTING this content? View our policies by clicking here.

 

Featured Webinars

Featured Whitepapers