VIDEO: CISOs’ reporting hierarchy comes into focus

Simnikiwe Mzekandaba
By Simnikiwe Mzekandaba, IT in government editor
Johannesburg, 04 Jul 2023

Several years ago, the debate focused on the CIO’s reporting lines, but it is has now shifted to who the chief information security officer (CISO) should report to.

This has been prompted by the strategic imperative of the security function within the current landscape, said Nomonde White-Ndlovu, CIO of Bidvest Bank, during a panel discussion.

White-Ndlovu, along with other CIOs and cyber security professionals, last week participated in a panel discussion at the ITWeb Brainstorm CISO Banquet.

Now in its second year, the CISO banquet is hosted as part of the ITWeb Security Summit and in partnership with MTN Business.

Based on ITWeb’s CISO survey, 19% of the respondents report to the group CIO, while 12% said they report to the group CISO, and a further 12% stated they report to the CEO.

White-Ndlovu acknowledged that in many organisations CISOs report to the CIO, but there are sometimes differing views within ecosystems in terms of the lines of reporting.

The double-hatting – CIOs serving as CISOs – further blurs the reporting lines for cyber security professionals, she noted.

Pragasen Pather, CIO of Sun International, said he “strongly” believes it doesn’t matter whether the CISO reports to the CIO, or the chief risk officer.

“Every CISO wants to be on the exco, which means they want to report to the CEO. But do you really think the CEO is going to have time to listen to what the security officer has to say when he’s trying to drive profits, drive revenues and sales?

“I think if we are still asking ourselves that question, then we probably need to do some introspection as to what our actual role and mandate is within the organisation.”

Instead of focusing on the reporting lines, White-Ndlovu and Pather agreed that CISOs should align themselves with the chief financial officer (CFO).

Pather explained: “If you align with the CFO, you will get the budget that you want…the reporting lines shouldn’t really matter anymore, it’s how you fulfil the needs of the organisation.”

White-Ndlovu echoed similar sentiments, saying “becoming friends with the CFO” is the trick that all security professionals should learn. This, she added, applies to the CEO, CIO, or whoever is in charge of the budget required to implement what the CISO needs in the organisation.

“Become friends with the CFO and make them see how doing your job makes them look good and why you need budget. The debate around where a CISO should sit comes back to the ability to attract the budget that will be needed, to implement what is required.”