An important part of providing value to an organization is dependent on how Security reports to executives. There are lots of ways Security can stack up in an organization. In past lives, I’ve reported to the CTO, to the CISO, to a VP of customer service, to General Counsel, and most recently, to the COO. You could report directly to the CEO, CFO, or CPO (Chief Product Officer) or others. All of these come with unique pros and cons, and I’d like to talk a bit about them and hear some feedback and additional input from all of you.
This will be a multi-post subject because I don’t want to make it too long, and I can tell right now I’ll have a lot to say.
First of all, it’s essential to have a good relationship with executive management, middle management, and the end users who have to comply with security policies. They’re all your customers; furthermore, your organization’s customers are there too.
Upper leadership makes decisions based on information from their peers, direct reports, and many other resources. Their support can make all the difference in getting an initiative or attaining budget approval. Sometimes, that support will come from scoring points with a lower-level manager who then backs you up through their direct leadership. Getting that support is essential if you want to make any changes or move the needle forward in a meaningful way.
Secondly, no matter your reporting line, you must deliver and have a good track record. You must represent Security as a positive service, enabling business without slowing it down. Only then can you win the trust and support of executive leadership and be an asset more than just a cost center.
Reporting To The CEO
This is the most apparent direct line-of-sight executive leadership you can have. But don’t be fooled into thinking you have the CEO’s attention. Right off the bat, here’s a big “con” of reporting to the CEO — you won’t find another person in the organization who is busier or has their schedule more booked out. From my experience, the CEO doesn’t think about security as a function but more as a checked box. So, all asks must be well documented and justified, and arguments must be prepared. The big “pro” of reporting to the CEO is that once you have their approval for an initiative or budget ask, you’re off to the races. Additionally, you may gain a better appreciation for what keeps the CEO up at night through casual conversation that might not normally be afforded to you if you report elsewhere in the org, which can give you opportunities to address and mitigate these risks.
CEOs often operate in a fast-paced environment, and being flexible and responsive to their needs can strengthen the security function’s effectiveness.
Another “pro” is that reporting to the CEO sets an example for the entire org that Security is important. Messaging filtering is gone and communication is improved. On the downside, it’s not likely that your CEO is highly technical or understands anything that you or your team does.
I find the best way to communicate technical issues with non-technical audiences is to sharpen up your allegory and metaphor skills. I recently wanted to implement a CASB (Cloud Access Security Broker) as a pseudo-firewall for our distributed workforce since we would no longer be working from a home office. Rather than explaining how CASB or SASE (Secure Access Service Edge) works, I described it as an always-on VPN — around the world there are hundreds of nodes and the end-point workstations will connect to the closest one, and that node will function as a firewall controlling what the computer can connect to or with, and all traffic is encrypted from end-to-end. Everyone knows what a VPN is because sometimes you can’t watch all the sports you want from where your internet connection is. This explanation made a lot of sense, and it addressed the need for controlled access and protection against beaconing hosts.
I’ve shared my insights on reporting to the CEO, but I want to hear from you. Have you reported up to the CEO? How did that experience go for you? Are there any additional pros or cons that you’ve encountered? Feel free to share your thoughts and experiences in the comments below. In my upcoming posts, I’ll delve into reporting to other executives and leadership, exploring the unique dynamics and considerations in those roles. Stay tuned and share your thoughts on those discussions too.
I love your comment on reporting the the CEO being part of Security does show the narrative that security is important. Most companies I’ve seen in my short career as a 27 year old sometimes throw security on the back burner as a side thought, that should never be the case. Security is pertinent to the success of any organization and everyone should be aware just how much of an effect it has on the success of a company.
Too often Security is a sales enablement tool only. One of my teammates (Yeah, I need to update my employment status in a post. I’ve been dizzy bizzy) has a good perspective I’m adopting; “Security is here to facilitate revenue.” This is not sales enablement, but we ensure security of Confidentiality, Integrity, and Availability so the company can make more money. That’s what every single person in the org is trying to do — make more money. So we protect the data, infrastructure, code, facilities, reputation, etc. to allow that to happen. We all want to make more money, so let’s lock it all down and let everyone do their best and let’s all make more.