Leadership, RSAC, Security Staff Acquisition & Development
CIOs reporting to CISOs? Security teams dissolved? Companies reconsider leadership structure

Companies continue to struggle with leadership structure.
Should the CIO report to the CISO? Should security teams disappear? These are bold moves currently on the table as companies continue to struggle with leadership structure.The hierarchy is pretty typical across organizations: The chief information security officer is the most senior IT executive in charge of protecting data and systems, reporting to the chief information officer, who oversees the computer systems required to support the business objectives. A 2021 report from AINS, which was updated in March 2022, found that 54% of surveyed CISOs report to a CIO, with 15% reporting directly to a CTO. Sixty-nine percent reported into a technical function, rather than a business function.Click here for all the coverage coming out of RSAC.But what if that was turned upside down? It’s an idea that’s been suggested within the security community. “We're forcing CISOs to be true business executives. They also have to be super technical — or they at least need to have an understanding about the systems that they’re defending,” said Ben Johnson, cofounder and chief technology officer at Obsidian, at a lunch roundtable discussion during the RSA Conference. "The result is that they’re quickly having to move up the ladder.”Of course, the counterargument would be that cybersecurity is still a function of information technology, and the CIO needs to lead the comprehensive mission of IT. But deciding which side is right may be less important than understanding why the debate has emerged in the first place.“I think the root of the problem is that security is still seen as a tax rather than an investment,” Johnson said in followup comments to SC Media after the lunch discussion. “In order to continue to shift that, we all need to continue to communicate the risk involved with the technology driving our businesses."Johnson likened the necessary shift in mindset to building cars with safety integrated from the very beginning of the design and engineering process, versus adding some seat belts and airbags after the fact. Whether reversing seniority to make the CISO the most senior IT executive in an organization is realistic in today’s enterprises “is less important than creating a lens whereby technology deployments and investments are mapped to a security framework and architecture, making sure than new technology strengthens the overall security posture rather than weakening or complicating it,” he said, pointing to the related trend of CISOs becoming CIOs."Security teams, including leadership, needs to understand the technology stack, and CISOs are continually being asked to be business leaders," he said. "This means they’re a strong fit for the CIO position, so having that additional security DNA at the CIO position raises the entire company’s awareness and capabilities around cyber defense."
Related Events
Get daily email updates
SC Media's daily must-read of the most current and pressing daily news
You can skip this ad in 5 seconds