The higher education chief information security officer's (CISO) place in the institution hierarchy can be a debatable topic. Does the position fall under the chief information officer (CIO), should it be tucked under the responsibility umbrella of another institution leader, or should the position be a lateral role among institution management team members and report directly to the institution president? It’s a conundrum and according to the CHECS’ 2014 CISO study, CISOs do not have a solid answer.
Only 33% of CISOs felt it should be an information technology department position and report to the CIO, but even fewer – 26% – said it should report to the president. The remainder of the responses spanned the institution: 13% said the role should report to an executive outside of IT and 10% gave the chief financial officer the nod while single digit percentages also went to the chief academic officer and the risk manager.
Not so with CIOs—they feel strongly that the role should be placed under their watchful eye. More than 69% of CIOs stated as much in the study. Moreover, that response almost matched the actual reporting structure with 79% of CISOs reporting to the CIO.
The wide array of responses from CISOs may indicate they are still feeling their way in this relatively new role in the institution. This uncertainty may be common; the commercial sector seems to also be struggling with structure. There was a great deal of conflicting conversation when department store giant Target hired its first CISO in June 2014 and placed him under its CIO’s leadership.
This reporting structure bears watching as the role matures and organizations try different arrangements, seeking the one that works best for individual institutions. What do you think?