Who Does What in Cybersecurity at the C-Level
As security evolve as a corporate priority, so do the roles and responsibilities of the executive team. These seven titles are already feeling the impact.
![](https://eu-images.contentstack.com/v3/assets/blt6d90778a997de1cd/bltfbf74d76cc40deba/64f0d692e0ecf1157065e587/Slide1CoverArt.jpg?width=700&auto=webp&quality=80&disable=upscale)
What’s in a title? As the threat landscape grows more severe, job titles and lines of reporting will continue to change for security professionals. For example, last year’s CIO 100 found that 70% of CISOs report directly to the CIO, while IDC predicted that during 2018, 75% of CSOs and CISOs will report directly to the CEO.
Rob Clyde, a vice chair on the board of directors at ISACA, says just about all C-Suite players will have a seat on the board of directors in the future – and they’d better be ready.
"However technical these people are, they still have to understand the business and explain the technology to the board in plain English," Clyde says.
John McCumber, director of cybersecurity advocacy at ISC2, says the Chief Data Officer will continue to play a more important security role at many companies – and should have a seat at the table. "Organizations live and die by data," McCumber says. "We are coming to the end of the 'era of threat' and now have to accept that the threats will exist and that we have to deal with them."
Here's a look at seven important C-Suite job titles in security: CISO, CRO, CTO, CIO, CPO/CDO, CFO, and CAE, and their key security roles as defined by ISACA's Clyde and ISC2's McCumber.
The CISO has direct responsibility for all security programs and policies. Sometimes, he or she has their own staff who assist them in implementing and monitoring security systems. Following all the high-profile hacks of the past few years, more CISOs report directly to the CEO or possibly the CFO, but it's most common for the CISO to report to the CIO. Up until the past few years, CISOs may have been two or three levels down from the CIO, but that's changing. They are also less likely to report to a Chief Security Officer (CSO), a job function that also has responsibility for physical security as well as IT. With all the high-profile hacks, more companies are aligning the CISO position with the IT department.
Typically an attorney handles this job, which covers more than just cyber risk. The CRO plays an important role in assessing how much cyber insurance the company should purchase and also assesses the company's regulatory risk. From an IT security perspective, the CRO plays an advisory role in which they explain to the board what risks malware, exploits, and other hacking incidents present to the company and what the risk/reward scenarios are.
There are two kinds of CTOs. One focuses on IT purchases, which firewalls/routers, data loss prevention, and anti-virus software the company requires. This person typically reports to the CIO and focuses on very targeted technology tasks and purchases.
The second type of CTO can be most often found at technology companies. These are people who focus on the technology that the tech companies build into their products, and more and more, security has become an important element of product development. Applications also are being developed with security built-in. The CTO assesses whether the company's customers can securely deploy the products they bring to market.
The CIO has broad responsibility for IT operations at the company. He or she typically has budget oversight, so all purchases of security systems and personnel must first get approval via the CIO's desk. Most CIOs report to the CEO and often have a seat at the table on the executive board, so they have to know enough about security to explain the company's risk and security programs to the board.
Many companies will have either a CPO or a CDO, but typically not both. This person focuses on the data privacy policies surrounding information on individuals. They assess what data the company needs to keep, and set retention policies for data. They decide on where the data resides, how it will be stored, and the policies around maintaining that data.
The CFO oversees all financial decisions and accounting. But in the past few years, the CFO has become an important person in terms of working with the CRO to decide how much cyber insurance the company needs. Both the CISO and the CIO may report to the CFO at some companies.
This person has responsibility for the IT audit and both tax and other financial audits. At most large companies, the CAE has a direct line to the audit committee on the board of directors. While some critics maintain that the CAE should not have responsibility over the IT audit, that has yet to change at most companies.
This person has responsibility for the IT audit and both tax and other financial audits. At most large companies, the CAE has a direct line to the audit committee on the board of directors. While some critics maintain that the CAE should not have responsibility over the IT audit, that has yet to change at most companies.
What’s in a title? As the threat landscape grows more severe, job titles and lines of reporting will continue to change for security professionals. For example, last year’s CIO 100 found that 70% of CISOs report directly to the CIO, while IDC predicted that during 2018, 75% of CSOs and CISOs will report directly to the CEO.
Rob Clyde, a vice chair on the board of directors at ISACA, says just about all C-Suite players will have a seat on the board of directors in the future – and they’d better be ready.
"However technical these people are, they still have to understand the business and explain the technology to the board in plain English," Clyde says.
John McCumber, director of cybersecurity advocacy at ISC2, says the Chief Data Officer will continue to play a more important security role at many companies – and should have a seat at the table. "Organizations live and die by data," McCumber says. "We are coming to the end of the 'era of threat' and now have to accept that the threats will exist and that we have to deal with them."
Here's a look at seven important C-Suite job titles in security: CISO, CRO, CTO, CIO, CPO/CDO, CFO, and CAE, and their key security roles as defined by ISACA's Clyde and ISC2's McCumber.
About the Author(s)
You May Also Like
CISO Perspectives: How to make AI an Accelerator, Not a Blocker
August 20, 2024Securing Your Cloud Assets
August 27, 2024