An Exploration of the Evolving Reporting Organizational Structure for the Chief Information Security Officer (CISO) Function
Abstract
The ideal reporting structure for the Chief Information Security Officer (CISO) function is not yet settled. Should the CISO report to the Chief Information Officer, Chief Operations Officer, Chief Financial Officer, Chief Internal Auditor, General Counsel, or Chief Executive Officer? Although existing literature provides recommended reporting structures of the CISO position, most practitioners and researchers discourage the adoption of a ―one size fits all‖. This study borrows from Complexity Theory and Interaction Theory to shed light on ―Why‖ we may have so many different reporting CISO structures even for companies of the same size in the same industry faced with the same information security risks. Using Complexity Theory, we posit that although the initial CISO reporting structure is unpredictable; organizations as open systems have an inbuilt capacity to self-organize, self-motivate, and learn to adapt the CISO reporting structure to their own work environment. Using Interaction Theory, we posit that the emerging reporting structure is created by the interaction between factors inherent in decision makers of the organization and factors inherent in the CISO function. This implies that ideal reporting structures of the information security organization will inevitably vary according to the organization‘s industry, mission, maturity, culture, risk exposure, resources, capabilities, and prevailing decision making and governance infrastructure. Using a case study research method, we relied on numerous CISO interviews available on open source and our own interviews of two seasoned CISOs. The study recommends best practices for evolving an effective reporting structure for the CISO function.
Full Text: PDF DOI: 10.15640/jcsit.v7n1a1
Abstract
The ideal reporting structure for the Chief Information Security Officer (CISO) function is not yet settled. Should the CISO report to the Chief Information Officer, Chief Operations Officer, Chief Financial Officer, Chief Internal Auditor, General Counsel, or Chief Executive Officer? Although existing literature provides recommended reporting structures of the CISO position, most practitioners and researchers discourage the adoption of a ―one size fits all‖. This study borrows from Complexity Theory and Interaction Theory to shed light on ―Why‖ we may have so many different reporting CISO structures even for companies of the same size in the same industry faced with the same information security risks. Using Complexity Theory, we posit that although the initial CISO reporting structure is unpredictable; organizations as open systems have an inbuilt capacity to self-organize, self-motivate, and learn to adapt the CISO reporting structure to their own work environment. Using Interaction Theory, we posit that the emerging reporting structure is created by the interaction between factors inherent in decision makers of the organization and factors inherent in the CISO function. This implies that ideal reporting structures of the information security organization will inevitably vary according to the organization‘s industry, mission, maturity, culture, risk exposure, resources, capabilities, and prevailing decision making and governance infrastructure. Using a case study research method, we relied on numerous CISO interviews available on open source and our own interviews of two seasoned CISOs. The study recommends best practices for evolving an effective reporting structure for the CISO function.
Full Text: PDF DOI: 10.15640/jcsit.v7n1a1
Browse Journals
Journal Policies
Information
Useful Links
- Call for Papers
- Submit Your Paper
- Publish in Your Native Language
- Subscribe the Journal
- Frequently Asked Questions
- Contact the Executive Editor
- Recommend this Journal to Librarian
- View the Current Issue
- View the Previous Issues
- Recommend this Journal to Friends
- Recommend a Special Issue
- Comment on the Journal
- Publish the Conference Proceedings
Latest Activities
Resources
Visiting Status
 Today |
143 |
| Yesterday |
64 |
| This Month |
3395 |
| Last Month |
5405 |
 All Days |
1450337 |
 Online |
36 |
