An Exploration of the Evolving Reporting Organizational Structure for the Chief Information Security Officer (CISO) Function
Conrad Shayo, Frank Lin

Abstract
The ideal reporting structure for the Chief Information Security Officer (CISO) function is not yet settled. Should the CISO report to the Chief Information Officer, Chief Operations Officer, Chief Financial Officer, Chief Internal Auditor, General Counsel, or Chief Executive Officer? Although existing literature provides recommended reporting structures of the CISO position, most practitioners and researchers discourage the adoption of a ―one size fits all‖. This study borrows from Complexity Theory and Interaction Theory to shed light on ―Why‖ we may have so many different reporting CISO structures even for companies of the same size in the same industry faced with the same information security risks. Using Complexity Theory, we posit that although the initial CISO reporting structure is unpredictable; organizations as open systems have an inbuilt capacity to self-organize, self-motivate, and learn to adapt the CISO reporting structure to their own work environment. Using Interaction Theory, we posit that the emerging reporting structure is created by the interaction between factors inherent in decision makers of the organization and factors inherent in the CISO function. This implies that ideal reporting structures of the information security organization will inevitably vary according to the organization‘s industry, mission, maturity, culture, risk exposure, resources, capabilities, and prevailing decision making and governance infrastructure. Using a case study research method, we relied on numerous CISO interviews available on open source and our own interviews of two seasoned CISOs. The study recommends best practices for evolving an effective reporting structure for the CISO function.

Full Text: PDF     DOI: 10.15640/jcsit.v7n1a1