Organizational structure

Where Does the Modern CISO/Head of Security Fit in Your Organization?

Technology has become an essential component for most modern businesses. Because of that, technology leadership requires a place in the org structure that enables it to impact and improve the whole company. If a CISO/Head of Security is placed into the wrong structure, the results can be poor or possibly detrimental.

The ever-evolving CISO/Head of Security role is still searching for a permanent home within many organizations. The discussion around where this key position will reside has been front-of-mind for most of our clients and a hot topic within our community.

To provide some relevant data we can break down our current project portfolio.   Today in our current portfolio of CISO/Head of Security search projects, there are almost as many different reporting structures as there are searches.  We have 7 open search projects, and 6 different C-level leaders that the hire would be reporting to, ranging from CEO, COO, CFO, CPO, CIO to CTO/SVP Engineering.

So, where does this strategic and critical position belong in your company's structure? We’ve seen that opinions tend to vary based on the answers to these five questions:

  • What does the company’s historical security structure look like, and how successful has it been?
  • What level of impact will the Head of Security be expected to have within the company?
  • What is the maturity level of the security program and compliance efforts within the company?
  • How does the company build, deliver, and sell their product or service?
  • What are the external optics of the company’s product/services security posture?  What will clients need to see and say about the structure the company deploys for their Head of Security function?

Let’s use an upstart SaaS cloud-first product company as an example. The company starts with security being an important component of the engineering or PD organization because they began building everything in AWS, Azure or GCP.  When the company’s attack surface becomes large and complex enough to warrant hiring their first Head of Security, they could go a few directions. They might decide to expand the existing Sec Eng/Ops function, or they might create a separate security function and pull SecOps out of Engineering altogether.

But let’s say that the company is coming from a more traditional shrink-wrapped software delivery model with professional services. They have a functioning and more traditional IT structure, which might warrant the Head of Security sitting within the CIO’s organization. Simple enough, right?  

Then what happens when that same company migrates their entire product suite to a cloud delivery model using public cloud infrastructure?  At that point, the security function might split in two (InfoSec/Compliance + SecOps/DevOps) or DevOps might be rolled under Security Ops. Another possibility is that the GC takes Compliance and everything else security related falls under Product or Eng. The point is - there are a dozen different, completely justified, ways to go.

All said this is a transformative and exciting time to be a leader in the Security space. For CISO/Head of Security candidates out there, it will take patience and diligent discovery to determine if the roles being presented to you will enable your growth and impact in your next company. For companies looking to make this important hire, it will take patience, lots of data, and perhaps several tough conversations within your company to get it right. You might even choose to listen to your search partner. ☺

Especially on a topic with so many different opinions, we’d love to hear yours.  What do you and your company think the right structure should be?  Please complete this short anonymous survey. We’ll discuss our findings on in a future post.