During congressional hearings earlier this month, senators grilled Richard Smith, the former Equifax CEO, on the company’s reporting structure for cybersecurity; specifically, on the appropriateness of Equifax’s CISO reporting to the general counsel. This has caused several companies to question their own reporting structures for cybersecurity issues. So what is the right structure for CISO reporting? As usual, there is no one right or wrong answer.
We have seen many different reporting structures for CISOs (e.g., to the CEO, COO, CIO, GC, or directly to a board committee) and regulators have not required any particular structure. In designing a reporting structure, companies should consider, among other factors:
- The scope of the CISO’s responsibilities;
- The cybersecurity threats the company faces; and
- The level of technical knowledge—both IT-related and specific to cybersecurity—of management and the board.
An optimal structure will provide the CISO with the resources and attention from senior management necessary to ensure that the company has effective cybersecurity and is able to respond to cyber incidents. That usually requires the CISO to report to someone with an interest and experience in technology, which is why it is common for CISOs to report to the Chief Information Officer (“CIO”) or Chief Technology Officer (“CTO”). But that structure may not be optimal if (1) effective cybersecurity for the organization requires significant efforts from other functional groups, (2) there are other C-suite executives who are familiar with cybersecurity, and (3) the CIO is not the best person to get what is needed from those groups. In short, the CISO should report to whomever is best positioned to champion for effective cybersecurity throughout the organization.