If a cyber attack can shut down operations, destroy business models or undermine competitive advantage, then it is not an operational risk – it is a strategic risk. Cyber attacks have shown that ultimate accountability to shareholders for such strategic risk resides with the board and CEO.
In response to the cyber attack on US retailer Target, for example, shareholders alleged that senior leaders and directors breached their fiduciary duties. They filed lawsuits against all board directors, the CEO, CFO and CIO, arguing that they showed reckless disregard for their duties, posing a risk of serious injury to the company.1 Five months after the attack, the CEO announced his resignation.
Does this suggest that the person responsible for cybersecurity should report directly to the CEO? In reality, this is rarely the case.
In 2019, 38 per cent of Fortune 500 companies did not even have a CISO.2 Of those that did, only 4 per cent listed the CISO on their leadership webpages – a sign that organisations continue to see the role of a CISO as largely technical rather than strategic, and subordinate to other IT-related positions. Many CISOs seem to be distant from the CEO. Although the CISO role is vital in protecting business value and defending against growing cyber threats, many companies continue to grapple with the most effective reporting structure. But there is no one-size-fits-all model.
Three Reporting Options
Although the models adopted vary by sector and geographic region, most organisations choose one of three options.3 In the traditional model, the CISO operates within the IT function and reports to the CIO. This technology- aligned approach seems a natural fit because securing an organisation’s IT is a cornerstone of cybersecurity policy. The downside, however, is that the CISO may become detached from business initiatives, which reinforces the perception that cybersecurity is an IT necessity rather than a business imperative. This model may also cause tension in resource allocation and speed of execution – CIOs tend to drive initiatives that accelerate digital transformation, whereas CISOs will want make sure this is done securely by design.
In the second model, the risk model, the CISO reports to the chief risk officer. Although this acknowledges that cyber risk is a business risk that can threaten an organisation’s survival, it may leave the CISO too detached from critical operational capabilities within IT.
Under the third model, the strategic model, the CISO reports directly to the chief executive officer. This gives the CISO high visibility within the business and elevates cybersecurity to the right strategic level. However, this means that the CEO and CISO have to align on a common language to avoid a disconnect between them.
The Perfect Model Does Not Exist
The perfect reporting model does not exist, because each model entails compromises. Although a well-crafted reporting structure is important in designing a resilient organisation, reporting is not, in and of itself, a silver bullet. So, what really matters?
Governance is the complementary but often overlooked aspect of designing cyber resilient organisations. It is the system by which companies are directed and controlled – the structure and processes for decision-making, accountability, control and behaviour at the top.
To enable a cyber resilient organisation, companies need to connect discussions on reporting structures with cybersecurity governance. If the correct governance is not in place, it won’t matter where the CISO reports. The cyber attack on Target is a classic case of governance failure. The attack exposed serious weaknesses in board- level governance. Astonishingly, it took about a month after the attack was initiated for its full effect to reach the CEO’s desk. Shareholders later accused Target’s audit and corporate responsibility committees of failing to recognise the potential threats to the company.4
Connecting Reporting Structures with Governance
In our experience, we see four key actions that executives can take to optimise their organisation’s design and governance:
- Incorporate new and more wide-ranging criteria in determining reporting structures
Traditionally, companies have tended to determine their reporting structures based on factors such as strategy, size and industry benchmarks. To find a suitable reporting line for their CISO, however, they should consider a much broader array of factors. These include a company’s cybersecurity maturity, stage of digital transformation, regulatory environment, risk appetite, IT architecture and the capabilities and leadership profile of CISOs themselves. Companies that only use traditional criteria risk ending up with a reporting model that makes their organisation less resilient to cyber attacks.
- Frame cybersecurity risk as an enterprise risk
Because cyber risk is often perceived as purely technical, mitigation gets delegated to the IT function. To mitigate cyber risk effectively, it needs to be treated as an enterprise risk and expressed in terms that everybody (including the board) can understand. This means quantifying and prioritising cyber risks based on the potential damage to the business, highlighting points of vulnerability in the business, setting out potential cyber attack scenarios, and putting risks in the wider context of geopolitical threats.
- Recognise that the board and CEO are accountable for cybersecurity
Ultimate accountability resides with the board and CEO and not solely with the CISO – the attack on Target being a case in point. It often takes a debilitating cyber attack for CEOs and boards to recognise their accountability and to structure their organisation accordingly. As countries ramp up cybersecurity regulation, CEOs and boards will be held accountable not only by shareholders but also by regulators.5
- Give the CISO a seat at the table
Irrespective of reporting lines, invite CISOs to board meetings when cybersecurity is on the agenda, ideally every quarter. The CISO can present to and increase the cyber literacy of the board. In a 2019 Harvard Business Review study, only 37 per cent of respondents said the CISO provided an annual cybersecurity strategy report and evaluation to the board.6
So, where does this leave us?
The unprecedented explosion of cyber attacks, seemingly destined to continue to rise, means that eventually almost every organisation will be put to the test. Under these circumstances, CEOs should maintain very close oversight of cybersecurity, if not a direct reporting line with the CISO.
Indeed, this is how governments structure their defences. When a country is under attack from a foreign adversary, the supreme command over the military usually resides with the head of state. Even in times of peace, the minister of defence reports to the head of state. Perhaps there is a lesson in this for the corporate world.
1. Kulla V Steinhafel, No 0:14-cv00203, complaint (D. Minn. filed Jan. 21, 2014), (https://storage.courtlistener. com/recap/gov.uscourts.mnd.136359/gov.uscourts. mnd.136359.1.0.pdf)
2. Bitglass (2020). The cloudfathers: An analysis of cybersecurity in the Fortune 500. https://pages.bitglass. com/rs/418-ZAL-815/images/Bitglass_TheCloudfa-thers_Fortune500.pdf
3. Scholtz, T. (2021). Determining whether the CISO should report outside of IT. Gartner (https://www.gartner.com/doc/4000571)
4. Sirinivasan, S. Paine, L., Goyal, N. (2019). Cyber breach at Target. Harvard Business School.
5. See, for example, Atkins, S., Luck, K. (2020) Enhanced Cybersecurity Regulation in Australia – What Directors Must do to Minimise Risks and Drive Business Growth. Oxford Law Blog (https://www.law.ox.ac.uk/business-law-blog/blog/2020/09/enhanced-cybersecurity-reg-ulation-australia-what-directors-must-do); Seah, S., Kao, J., Van Emmerik, E.G., Ng, N. (2019) Cybersecurity & Singapore: A balancing act for executives and the board. TwoBirds (https://www.twobirds.com/~/media/pdfs/singapore-cybersecurity.pdf)
6. Pulse Survey (2019). Evolving the CISO role to make cybersecurity a competitive advantage. Harvard Business Review (https://hbr.org/resources/pdfs/comm/pwc/Evolvingtheciso.pdf)