Debate continues over where CISOs sit in the C-suite
Pundits scrutinizing senior executive dynamics have opined for years about to whom the CISO should report. Some say the CISO should report to only the CIO because the top security role is inextricably linked to IT. Others say this is a terrible idea because the CISO’s must lock down the corporate network while the CIO is challenged to innovate. A CISO panel convened at the MIT Sloan CIO Symposium last month rekindled this longstanding C-suite debate.
MIT professor and panel moderator Stuart Madnick asked the CISOs to whom they believed they should report. State Street CISO Mark Morrison suggested that the common model of security chiefs reporting to IT leaders is no longer tenable. “I think there needs to be some independence of the CISO from the IT organization,” said Morrison, who provides information security for a financial services company with $30 trillion under custody.