Research conducted by Pricewaterhouse Coopers found that, in 2006, just 22% of more than 7,000 organisations surveyed had a CISO or equivalent function, but that proportion had grown to more than 80% by 2011. However, according to a recent report by CSO Magazine, anywhere between 40% and 60% of CISOs report to the CIO or IT executive function, with the variance according to industry. The job of a CIO is more related to ensuring the efficiency and availability of effective IT systems to ensure that those systems meet the needs of the business and ensure productivity for users. The CISO, however, is more concerned with security and risk management and, owing to the ever growing importance of these functions to an organisation, it makes more sense to elevate the role of the CISO so that they report to the CEO.
This elevation of the role of the CISO will allow them to have more say in aligning security with the overall risk posture of the business, providing an easier reporting structure and providing the authority and, potentially, the budget required for implementing a holistic security programme based on risk. The US federal government is currently discussing a bill that would demand that federal department leaders delegate to a senior agency officer who is designated as CISO who would report directly to the department heads, not the CIO. The aim is to ensure that they have the authority and resources necessary to impact decisions taken with regard to IT that could introduce vulnerabilities or that could scupper compliance efforts.
Given the current reporting structure in many organisations, not all business leaders are kept adequately appraised of the security situation in their organisations. According to recent research from Core Security, just one-third of CEOs receive security updates from their CISOs and only about one-quarter receive security communications on a "somewhat regular" basis. After some of the most publicised security breaches have been uncovered over the past couple of years, it has come to light that some of the organisations concerned did not have a senior enough executive in charge of the overall security programme. According to the CIO of Pacific Northwest National Laboratory in the US, which suffered a security breach in July 2011, internal investigations showed that the breach was directly related to failure on the part of executive management, including the board, to demand regular security updates. As a result, executives had failed to recognise cybersecurity as being a significant risk to the organisation and consequently the cybersecurity programme had been allowed to degrade significantly. He stated that the lesson learnt was to watch CISO lines of reporting and to ensure that the CISO has the necessary authority to do whatever is needed to protect the organisation's information resources.