Who Does What in Cybersecurity at the C-Level

As security evolve as a corporate priority, so do the roles and responsibilities of the executive team. These seven titles are already feeling the impact.
Chief Information Security Officer (CISO)
Chief Risk Officer (CRO)
Chief Technology Officer (CTO)
Chief Information Officer (CIO)
Chief Privacy Officer/Chief Data Officer (CPO/CDO)
Chief Financial Officer (CFO)
Chief Audit Executive (CAE)

What’s in a title? As the threat landscape grows more severe, job titles and lines of reporting will continue to change for security professionals. For example, last year’s CIO 100 found that 70% of CISOs report directly to the CIO, while IDC predicted that during 2018, 75% of CSOs and CISOs will report directly to the CEO.

Rob Clyde, a vice chair on the board of directors at ISACA, says just about all C-Suite players will have a seat on the board of directors in the future – and they’d better be ready.

"However technical these people are, they still have to understand the business and explain the technology to the board in plain English," Clyde says.

John McCumber, director of cybersecurity advocacy at ISC2, says the Chief Data Officer will continue to play a more important security role at many companies – and should have a seat at the table. "Organizations live and die by data," McCumber says. "We are coming to the end of the 'era of threat' and now have to accept that the threats will exist and that we have to deal with them."

Here's a look at seven important C-Suite job titles in security: CISO, CRO, CTO, CIO, CPO/CDO, CFO, and CAE, and their key security roles as defined by ISACA's Clyde and ISC2's McCumber. 

Next slide
Recommended Reading: