2011-11-23

The Reporting Line For A CISO

This is also a open ended question: Should the Chief Information Security Officer (CISO) of an organization report to the CIO, CTO, CSO, CEO or COO?

I doubt there is a single answer that can be applicable to all the organizations. However, ideally there should be enough segregation of duties between the IT Team and the IT Security Team. This is required to ensure the IT Security team can operate freely and without any undue pressure. What good is the maker-checker concept if either can be influenced by one other? Two simple examples to clarify my point:

  1. The IT project team is working on setting up a new system and have a tight deadline to meet. To cut corners a few security best practices are overlooked. Will the CISO have the authority to pull the plug on this project, if he reports in to the Head of IT (who could be a CIO or CTO)?
  2. The OS and application patches are not being rolled out as frequently as they should be. The CIO likes to keep the roll-outs to a minimum to save on the issues and challenges a roll-out typically causes. Will the CISO have the authority to challenge the CIO here?

Here is an article that agrees to these views.
Another article that tries to answer this tough question.

No comments:

Post a Comment