[Material-Incidents] No. 12

CISO Reporting Structure

Hey everyone,

Given the engagement on my recent post about security leadership (i.e. who leads public companies’ security programs?), this week’s post takes that analysis a step further, leveraging 10-K filing data to answer the question, “who does the CISO report to?”. I’ve seen this question circulating around the internet, and as I was drafting this post, I noticed that YL Ventures recently published a similar deep dive on the CISO reporting landscape. I thought it would be interesting to compare their data (interviews with 50 Cybersecurity executives) to public 10-K data, and I was interested to see how similar our findings were. For all the busy readers, here’s the TLDR of what I learned:

  • The Chief Information Officer is overwhelmingly the most common reporting structure (nearly 40% of CISOs reporting into one)

  • Second to the CIO are CEO, Chief Risk Officer and Chief Technology Officer (31% of CISOs report to one of these leaders).

  • CROs are most common in the financial sector — and rarely mentioned across other sectors

  • The findings from public 10-K filings validate the findings from YL Ventures’ CISO deep dive (i.e. CIO, CEO, CTO are the most common reporting structures). The primary difference in 10-K filings was the prevalence of CROs.

The Analysis

The previous post cited 830 total Chief Information Security Officers who were leading their companies information security program. These 830 are a subset of the total 3,500 10-K’s filed with an Item 1C. From the 830 original filings, only 432 mentioned a reporting structure for the CISO. I’ve put together another searchable dataset here. Some of the documents referenced reporting to the ‘Board of Directors’, I’ve excluded these instances as they’re likely implying a reporting cadence and not a reporting structure (its unlikely the CISO would be reporting to the board directly, please send me a note if you’ve seen this setup before). Similarly to the last analysis there was some normalization of titles, but the dataset still contained over 80 unique CISO reporting structures. Lets take a look at the distribution of the most common titles:

Ten most common CISO reporting structures

The distribution of titles is mostly in line with what I would expect for the CISO role. I was surprised to see CEO was the 2nd most common reporting structure found in these docs though. May be an indicator of the how the role’s importance is shifting, but hard to say for certain from this point-in-time snapshot (I’ll take another look in a year).

Breakdown by sector

Note: Only 278 of the 283 10-Ks referencing these position included sector data

As I discussed in my last post, the financial services sector had by far the most CISO representation, with 224 filings mentioning the position leading the security program. Looking at the reporting structure data by sector, the Chief Risk Officer datapoint stands out. This is the third most common CISO reporting structure, but the position is barely found outside of the financial services sector. This is consistent with the YL Ventures report mentioned earlier, which doesn’t list the CRO position. It’s interesting to see such a high concentration of CROs in financial services, though it’s unclear if that’s driven by the sector commonly having a large risk management function or the belief that security is a risk management problem…

Thanks for reading and following along, if you enjoyed this post let me know or forward it along!

Matt