For this research, we examined Forrester data on CISO reporting and organizational structures: CEO- and board-aligned; IT-aligned; and risk-aligned. CEO- and board-aligned CISOs report directly to the CEO or a board-level committee; IT-aligned — the most traditional approach — report into CIOs or other IT leaders; and risk-aligned leaders report into another C-level executive such as a general counsel, COO, or CFO, though most of our sample reported into a chief risk officer, hence the nomenclature.
One simple way to improve cybersecurity: Promote CISOs to report into CEOs.
Cybersecurity problems don’t disappear, but CISOs elevated in the organization who report to the CEO run better cybersecurity programs. Security matters now more than ever, making this the perfect time to think about a change in reporting structure. IT should also support this change, because our recent research shows that great technology organizations need great security organizations.
Here are five reasons to shift CISOs under the CEO, along with evidence proving why CISOs should lobby for the change:
One: Gain more control over the cybersecurity program with increased management responsibility. Sixty-six percent of security decision-makers whose most senior security official is CEO-aligned report that their management responsibility includes organizationwide/executive management, compared to only 49% for IT aligned leaders.
Two: Find less resistance when asking for — and spending — security budgets. Eighty-three percent of CEO-aligned security tech decision-makers reported that they easily receive the funding needed to support their security initiatives, and 75% of IT-aligned security tech decision-makers say the same. Only 25% of CEO-aligned leaders report that someone above them in the organization challenges their budgets, compared to 34% for IT-aligned leaders.
Three: Simplify the security stack and vendor portfolio. Fifty-seven percent of CEO-aligned security decision-makers plan to increase use of security features built into their operating systems with the expectation that it will decrease reliance on third-party endpoint security solutions, a higher rate than IT-aligned (51%) or risk-aligned (49%).
Four: Experience fewer breaches. Nineteen percent of CEO-aligned security decision-makers estimated experiencing three to five breaches, compared to 29% for IT-aligned and 27% for risk-aligned. This also confirms that the reason why CISOs were moved under the CEO is not due to experiencing a major breach (at least within the last 12 months).
Five: Increase the awareness of cybersecurity responsibilities across the employee base. Eighty-seven percent of CEO-aligned security decision-makers report that their employees are aware of their cybersecurity responsibilities, compared to 80% for IT-aligned and 76% for risk-aligned leaders.
For access to this data — and more — that proves that this shift is advantageous, Forrester clients can review the full report: CISOs Reporting To CEOs Solves Most Cybersecurity Problems.