CISO Security ‘Portfolios’ Vs. Reporting Structures

Organizational structure is a tool for driving action. Worrying about your boss’s title won’t help you as much as a better communication framework.

Adam Shostack, Leading expert in threat modeling

August 23, 2016

3 Min Read
Dark Reading logo in a gray background | Dark Reading

Every way to structure an organization has weaknesses.

In the first place, every executive learns early in their career that different structures have different strengths and weaknesses, and one reason to reorganize semi-regularly is to shake up some of the inertia that a structure brings. Having CISOs reporting to the CEO takes them out of the operational structure and puts them in a policy role, which creates risks that operations will hide deficiencies. Having CISOs in an operational role means that someone else might be formally responsible for risk sign-off, and their boss might hide deficiencies.

Second, every organization is different. Asserting that Amazon and Apple should have the same CISO reporting structure ignores the fact that Amazon is organized by products (retail, AWS, prime), while Apple is organized functionally (engineering, marketing). Claiming that General Electric and General Motors both need a CSO who reports to the boss ignores that GE is a conglomerate and GM is thinking pretty deeply about what their world looks like as they become a software company. (Now, you might argue that both have a CFO, but Sarbanes-Oxley mandated that role for public companies. The expansion of executive teams is getting attention in Harvard Business Review.)  

Third, more important than where you report is how you work the organization. Of course, title is important. I remember a friend marveling at how much faster his meetings got accepted after he was re-titled from director of security to “chief.” Similarly, being a direct report to the boss is a signal of the importance a company is placing on a role. But unless everyone in IT reports to the CISO, they’re fundamentally an advisor, not the decision maker. And as an advisor, they need to work the org. They need to talk to the leadership of the company and balance between various priorities while advocating for security. That balancing and perspective is helped by being close to leadership and being brought into more conversations, and hindered if there’s an expectation that the org chart brings power.

Fourth, the CEO’s a busy person. They spend their days making decisions that no one under them can make. Their bandwidth for mentoring and advising may be more limited than other leaders.

Portfolio views are under your control. You can choose to use them without getting into a discussion of what the org chart should look like. A portfolio of controls is clearly and unambiguously in your domain. Using portfolio views is unlikely to step on anyone’s toes. You can use portfolios to anchor your discussions as you work the org. A good view like the Cyber Defense Matrix grounds the conversation by avoiding jargon and linking to the business.

In The Effective Executive, Peter Drucker talked about concentrating your effort on the things that matter most. Arguing about reporting structures is a less useful place for your effort than getting a grasp on the whats and whys using portfolio views.

Related Content In This Series:    

About the Author

Adam Shostack

Leading expert in threat modeling

Adam Shostack is a leading expert on threat modeling. He's a member of the BlackHat Review Board, and helped create the CVE and many other things. He currently helps many organizations improve their security via Shostack & Associates, and helps startups become great businesses as an advisor and mentor. While at Microsoft, he drove the Autorun fix into Windows Update, was the lead designer of the SDL Threat Modeling Tool v3 and created the "Elevation of Privilege" game. Adam is the author of Threat Modeling: Designing for Security, and the co-author of The New School of Information Security. His personal home page can be found here

Keep up with the latest cybersecurity threats, newly discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

You May Also Like


More Insights