|
|
|
|
|
|
by bryant
1204 days ago
|
|
|
You'd be surprised how often this happens though. I've seen all the following structures: CISO -> COO -> CEO CISO -> CIO -> COO -> CEO CISO -> CSO -> COO -> CEO CISO -> CLO -> CEO CISO -> CLO -> CFO (wtf?) -> CEO And none of: CISO -> CEO, or even CISO -> CSO -> CEO The only one I've seen be extremely effective aside from a direct reporting relationship has been where the role reported up to the CLO (general counsel) and said role reported up to the CEO directly. Reporting up to the CIO or CFO (again wtf?), there were conflict issues at play where the CIO or CFO was obligated to prioritize their main mission. CISO to COO worked fine generally from what I saw, as did CISO to CSO to COO, but it meant the CEO was often shielded from issues where they could impactfully move the needle where needed. --- The CFO one was at a company owned by private equity, which makes perverse sense when you consider that most business leaders consider infosec to be a pure cost center rather than a business enablement function. Doesn't help that many CISOs historically never ran their shops with business enablement in mind either, which put a lasting dent in infosec's reputation as a function that many emerging leaders are still trying to rehabilitate. |
|
|