CISO Security ‘Portfolios’ Vs. Reporting StructuresOrganizational structure is a tool for driving action. Worrying about your boss's title won't help you as much as a better communication framework.
Every way to structure an organization has weaknesses.
In the first place, every executive learns early in their career that different structures have different strengths and weaknesses, and one reason to reorganize semi-regularly is to shake up some of the inertia that a structure brings. Having CISOs reporting to the CEO takes them out of the operational structure and puts them in a policy role, which creates risks that operations will hide deficiencies. Having CISOs in an operational role means that someone else might be formally responsible for risk sign-off, and their boss might hide deficiencies.
Second, every organization is different. Asserting that Amazon and Apple should have the same CISO reporting structure ignores the fact that Amazon is organized by products (retail, AWS, prime), while Apple is organized functionally (engineering, marketing). Claiming that General Electric and General Motors both need a CSO who reports to the boss ignores that GE is a conglomerate and GM is thinking pretty deeply about what their world looks like as they become a software company. (Now, you might argue that both have a CFO, but Sarbanes-Oxley mandated that role for public companies. The expansion of executive teams is getting attention in Harvard Business Review.)
Third, more important than where you report is how you work the organization. Of course, title is important. I remember a friend marveling at how much faster his meetings got accepted after he was re-titled from director of security to “chief.” Similarly, being a direct report to the boss is a signal of the importance a company is placing on a role. But unless everyone in IT reports to the CISO, they’re fundamentally an advisor, not the decision maker. And as an advisor, they need to work the org. They need to talk to the leadership of the company and balance between various priorities while advocating for security. That balancing and perspective is helped by being close to leadership and being brought into more conversations, and hindered if there’s an expectation that the org chart brings power.
Fourth, the CEO’s a busy person. They spend their days making decisions that no one under them can make. Their bandwidth for mentoring and advising may be more limited than other leaders.
Portfolio views are under your control. You can choose to use them without getting into a discussion of what the org chart should look like. A portfolio of controls is clearly and unambiguously in your domain. Using portfolio views is unlikely to step on anyone’s toes. You can use portfolios to anchor your discussions as you work the org. A good view like the Cyber Defense Matrix grounds the conversation by avoiding jargon and linking to the business.
In The Effective Executive, Peter Drucker talked about concentrating your effort on the things that matter most. Arguing about reporting structures is a less useful place for your effort than getting a grasp on the whats and whys using portfolio views.
Related Content In This Series:
Adam is a leading expert on threat modeling. He's a member of the BlackHat Review Board, and helped create the CVE and many other things. He currently helps many organizations improve their security via Shostack & Associates, and helps startups become great businesses as an ... View Full Bio