In the rapid, ever-evolving realm of cybersecurity, the question of where the Chief Information Security Officer (CISO) should sit within the organizational hierarchy is far more than egos clashing with corporate musical chairs.

It’s a question that could very well influence the very integrity of an organization’s data, and consequently, its competitive edge.

What about the scope of responsibilities? The CIO is in charge of the entire IT infrastructure, which includes data, systems, applications and hardware, software and platforms. All of it. Outcomes are owned by this role. The job requires focusing on technology that supports the business processes of the organization, and on accountability for results.

Conversely, the CISO should be focused on protecting this infrastructure from cyber threats. A good argument can be made to support the notion that the CISO’s role is a sub-discipline of the broader IT realm over which only the CIO has responsibility. To have the function report outside the domain makes as much sense to many as having the data center report to the board or the application development function report to the CEO. On paper, the CISO reporting  to the CIO creates a seamless alignment, enhancing the capacity for quick, integrated responses to emerging threats.

Secondly, there’s the consideration of resource allocation, which is often controlled by the CIO. Cybersecurity is not a zero-sum game; it requires considerable investment in technology and manpower. Having the CISO under the CIO umbrella ensures that the security function has the necessary resources and isn’t overlooked in budget considerations. The CISO can make a direct case to someone who understands the technology and can advocate for appropriate spending levels.

However, one of the counterarguments often brought up is that of impartiality, or the lack thereof. Detractors of the CISO-CIO reporting structure argue that the CISO may not have the necessary independence to evaluate the organization’s cybersecurity posture objectively. They say that the CISO should report directly to the CEO or the board, ensuring an unbiased perspective.

While the need for an impartial review is undeniable, an easy counterargument is that a competent CIO would also want an unbiased security assessment, as their ultimate goal goes to their accountability, which includes the efficiency and safety of the entire IT environment and by extension, the enterprise.

The way things are going, the rapid move to a fully digital world colliding with transformative technologies like GAI, the digital risk management function ought also to report to the CIO.

We know that the issues surrounding cybersecurity have reached a new level of complexity, not seen before, making the management of the function nearly to completely impossible. With challenges such as ransomware, phishing, and advanced persistent threats, a fragmented approach to IT and cybersecurity will not work. The need for a cohesive, unified strategy is more urgent than ever. A direct line between the CISO and the CIO ensures that there is no disconnect in communication and that there are unified strategic objectives.

Today, in the boardroom, the CIO has a seat at the table, often with the ear of the CEO and board members. If the CISO reports to the CIO, they gain a powerful advocate for issues of cybersecurity at the highest levels of decision-making. It’s about leveraging influence and taking advantage of synergies in a way that benefits the entire organization, while removing the insecurity surrounding strategic decisions about which the decision makers know little.

The CIO is trusted. The CISO is not.

It is the equivalent of having the plant manager report to the board. That never happens, in spite of the fact that the plant manager probably holds more criticality in his accountability for 5 nines uptime than the CISO, it is the general manager that reports to the board instead.

While the debate on reporting structures in the corporate world is far from settled, there are compelling reasons why a CISO should report to the CIO. From strategic alignment and resource allocation to dealing with the complexities of today’s cyber threats, this arrangement offers an integrated, effective approach to one of the most pressing issues companies face today. And in the current landscape, where data is often referred to as the ‘new oil,’ we shouldn’t accommodate any arrangement that is less than optimal.

Regardless of whose feathers stay ruffled.