The Right Reporting Line is the One that Works. Period.
KuppingerCole's Advisory stands out due to our regular communication with vendors and key clients, providing us with in-depth insight into the issues and knowledge required to address real-world challenges.
Optimize your decision-making process with the most comprehensive and up-to-date market data available.
Compare solution offerings and follow predefined best practices or adapt them to the individual requirements of your company.
Configure your individual requirements to discover the ideal solution for your business.
Meet our team of analysts and advisors who are highly skilled and experienced professionals dedicated to helping you make informed decisions and achieve your goals.
Meet our business team committed to helping you achieve success. We understand that running a business can be challenging, but with the right team in your corner, anything is possible.
The Right Reporting Line is the One that Works. Period.
The Right Reporting Line is the One that Works. Period.
Good afternoon, and many thanks to all of you for joining me today. The cybersecurity leadership summit, many thanks to keeping a call for inviting me again, to speak to you is now my fourth appearance since 2019 at the cybersecurity leadership summit. I'm JC Gallard, I'm the founder and managing director of, of cos partners. And we are, we are boutique management consulting firm based in London, focused on assisting C level execs with cybersecurity organization governance and strategy challenges.
I I'm delighted to be with you again, I'm going to be talking to you about the reporting line of the CSO, and we're gonna take a look back at that reporting line and what it means, how it works. And that's going to take us on the journey across a number of cybersecurity governance issues. I'm sure this is going to be thought provoking for, for, for some, I hope it will be. And you know, if there are any, any questions or any, anything else you want to discuss, you'll have my details at the end. Be delighted to, to engage with you. You can also submit questions through the chat.
I think do my best to, to answer them this session is prerecorded to avoid any glitches and any, any network problems or anything of that sort that I will be on the call on the day to answer any questions you may have. So that's it really, as a, as a matter of introduction, I'm very often asked the question by clients and, and, and, and the likes, what is the right reporting line for the CSO?
And I'm frankly, baffled that this topic is still doing the rounds really amongst the cybersecurity community, frankly, it's probably one of the oldest topics of discussion, you know, amongst cybersecurity professionals. I remember very vividly discussions on the, when I started to get involved with cybersecurity or information security matters close to 20 years ago.
And, you know, I, I always tend to answer the question in the same way. You know, the right reporting line is the one, the one that works, the one that's gonna work for you, period.
And, you know, I think it's, it's very important to stay away from, from arbitrary issues on that matter. And that's essentially what I'm gonna be talking, talking to you about some this afternoon. So frankly, it, it does beg the question, why are we still here talking about this? Okay. Fundamentally in my opinion, it's because confusion and inconsistency is still still prevail.
And, and that's rooted in three types of conflicting messages. If you want.
On, on one side, you've got boards, senior executives who tend to see cybersecurity as a purely operational and, and, and technical matter CSOs and attracting the middle incapable of escaping pure firefighting roles. And that of course prevents them from building up the type of elevated narrative that will have to be built with the board and senior execs to get them out of that purely and operational and technical approach to cybersecurity.
And finally, what it and regulators very often over the years, I've, I've had the tendency to push a, a very strict, very rigid separation of duties, type of agenda around the role of the CSOs. And in many cases in particular where cybersecurity maturity levels are quite low, it does create tensions and it does create more problems than it solves. That's also something I'm going to be talking about in this session. So I've done a little bit of research ahead of this talk and, and, and a similar talk I gave last month to the association for data and cyber governance in the us.
So I'm, I asked myself, you know, what's the state of play around this. I'm looked for a number of reports, a number of, of, of research papers.
I mean, you know, the big four in particular publish those type of reports every year. I've settled with them with club CSO in London because their information security and maturity reports have been running since 2014 in a very consistent format.
And, and I found interesting material in there crypto as the name indicates is, is a networking platform, a networking body for CSOs it's based in London. And they, their surveys cover in the regional of 50 to hundred and 50 CSOs every year. And they've been asking that question regularly around the reporting line. So what does it show, what does it tell us what it tells us that fundamentally the, the, the majority of, of, of reporting lines are still towards it, towards it, executives, CIO, CTOs, or type of it roles.
And that average is around 62% across the period, non it reporting lines, reporting lines to board members to CFO or other execs are average in the region of 20 to 25%. And the remain that 10 to 15% are essentially non-direct reporting lines, reporting lines toward detain, risk committees, metrics reporting, and that type of thing in terms of trends, fundamentally the, the trend towards reporting towards an it executive is, is, is a trend downwards that that's going down.
Not, not much though, not much, probably from 70% towards the beginning of the period towards 60% now, reporting lines towards non it executives, the board members CFOs, and the like the bit in orange here on the chart, that's broadly flat.
It has gone up and down a little bit across the period, but fundamentally it has always been in that order of magnitude, non, non direct reporting lines, hybrid reporting metrics, reporting, reporting to risk committee, that's gone up undoubtedly, but then again from practically nothing at the beginning of the period to 10 or 15% now, so fundamentally there are trends, but there are no fundamental trends. There are more or less marginal trends. Really.
There is a marginal trend undoubtedly away from it reporting lines, but it's really hard to see, to see evidence of any fundamental evolution over the past eight, eight years around the reporting line of the CSO. So it does back a little bit what I was saying on the other slide around the fact that we have a situation, which is interlocking in a number of ways, does, does the reporting line of the CSO matter? Absolutely. It does matter. It's the most fundamental channel of authority for the CSO, and it presents all stakeholders across, across the enterprise in an unequivocal manner.
The real level of importance placed on cybersecurity by the organization. Most problems, large organizations have around cybersecurity are not directly rooted in under investment, irrespective of what countless vendors would like you to believe.
You know, large organizations have spent billions and billions on cybersecurity over the past two decades, the real problems are rooted in execution failure. You, the inability of large organizations to generally deploy at stake protective measures the in, in, in, and that is rooted in, in governance and cultural issues, which fundamentally have led over the last two decades to the adverse prioritization of security matters. So absolutely the report line of the CSO matters.
It's, it's absolutely key to success for the CSO, in my opinion. So how do we go about getting this right three starting observations, which are going to be pretty obvious. I suspect for some of you, certainly the first one cybersecurity needs to be on the board's agenda. I don't need to tell you why cyber attacks have become too serious to frequent. You just have to listen to the news literally every week. And there is a story of that sort, you know, it, it absolutely needs to be visible in the portfolio of a board member.
You may want to bundle it with privacy, with continuity, with resilience to make it, you know, at attractive enough to, for, for the right caliber of, of executive at that level. But fundamentally cybersecurity has to be on the board agenda.
Second, starting observation for me, the reporting line of the CSO must be determined, positively, not arbitrary people work with people, organizations, you know, strong organizations are bound by trust, not by distrust reporting line of the so needs to be a positive statement. And fundamentally it's a means not an end. And it's the means to enable the cybersecurity practice of an organization to deliver on its objectives. And of course, that takes us to the next level, which means, you know, your cybersecurity practice needs to have clear objectives.
It cannot be just a random list of projects driven by ODI observations. And it's in that context that you need to ask yourself the questions about what is going to be the right reporting line for my generally when I, I get to the next level in, in discussions with, with clients around guiding them with positioning the reporting line of the CSO in, in, in the best manner, I start with three, three guiding principles. First of all, in my opinion, the reporting line of the CSO has to be higher enough in the organization. Okay.
It needs to be high enough for the CSO to be visible, audible, credible across all corporate silos, across all business units, across all geographies and with key values. There is no doubt about that.
And I, you know, very often, I, I, I tell, I tell clients that if your objective around cybersecurity is transformative, truly transformative, if you really need to, to, to, to rise in maturity, frankly, below reporting reporting below board level or board minus one is not going to work. You know, the CSO will never have enough momentum, enough gravitas, you know, but below below that to achieve any real lasting change, second guiding principle, in my opinion, the most important the reporting end of the C O has to be solely enough.
And by that, I mean, the reporting line of between the, the CSO and their boss, the nature of the relationship between the CSO and their boss is absolutely paramount. It's the true cornerstone of the construction here. And it's the real key to success.
You know, the, the, the relationship between the CSO and their boss must be unquestioned unquestionable. They must pick with one voice. They must share the same vision of what security means of what needs to be achieved. They must share the same appreciation of the timeframes involved. They must speak with one voice all the time. That's an absolutely fundamental aspect. In my view, you get this right. You go very long way. And finally, but in my opinion, it's the third of those aspects.
And frankly, not necessarily the most important yes, the reporting line of the CSO, the CSO himself, herself needs to be independent enough. Okay. So the reporting line of the CSO must allow the right degree of independence so that the CSO remains able to act in all situations are betrayed free on conflicts and priorities and so on. But for me, it's only one point in that equation.
And as I said, not necessarily the most important, and I, you heard me say that already earlier in this talk, I say, it's again, arbitrary considerations of separation of duties in my opinion, cannot rule on, and I'm going to come back to that because it's, it's a point on which I'm, I'm often questioned.
So two main reasons really why arbitrary separation of duties considerations cannot rule on, first of all, current trees, the current threat context, to be honest, this is a question which is authorized, raised in relation to the CSO reporting the CIO for, and, you know, for me, this is really, really, really the, the, the wrong, the wrong question to ask yourself if cybersecurity is not top of your agenda with your CIO, with your CIO or, or, or your CTO in a context where cyber incidents are at the top of the news several times in the year, you know, often several times in the month, you know, if your CIO is not capable or willing to prioritize in, in favor of cybersecurity in the current threat context, frankly, you have a problem which is much bigger than what you think.
And it's likely that the, your CIO is, is probably simply reflecting the kind of message the kind of culture is getting from, from the business around him. And in that context, if, if your organization is in that state, then frankly, wherever you place the reporting line of the CSO, you will just carry the problem with you. Okay?
So that, that, that's, that's often the, the, the, the, the background, if you want, in which I, I, I, I wrote that statement that, that the arbitrary separation of duties cannot rule a law, but then you've also got to consider the real life dynamics of large organizations. You know, large organizations are what they are, they're complex. They are territorial, they are political, and that's just the way they are.
So very often arbitrary reporting lines, create complexity, complexity, bridge, confusion, it bridge, it brings politics, and it allows advance prioritization, you know, for, for the organizations which have that tendency. And fundamentally it hinders execution. It increases frustration for the CSOs. It shorten their 10 years. It simply amplifies the problem. Okay.
So I repeat something I I've said at the start of this, this session reporting line of the CSO needs to be determined, positively needs to be a positive statement, and it needs to be a positive statement to optimize execution and the protection of the firm. I'm going to go quickly onto another question I get around separation of duties and, and, and, and, and the importance it should have in the, in the determination on the reporting line of the sea.
So, and it's a, a question, it's a question around lines of defense, and I'm conscious that there will be governance people listening to me this afternoon. So I, I, I don't want to brush it under the carpet, although frankly, very often I do tend to avoid to avoid the question because I find large organizations are, are very often, how can I say, not very, very consistent in their implementation of, of, of the three line of defense model. So what role for the CSO, is it the first line role? Is it the second line role?
I generally tend to sit on the fence because I've very, very, very rarely come across an organization, which has a properly water, tight three line of defense type of model in place. So if you have already started some form of ation around, around your, your own implementation of the three lines of defense, then frankly, how, how do you want to position the CSO in that context? A difficult question to ask, and it, it can really, it can really be answered only in, in the context of each specific firm. So I tend to avoid it, but I tend to tell my clients the same thing, keep it simple.
iDation is the real problem here. Avoid it as much as you can avoid complexity, complexity creates confusion, confusion allows politics and hinders action. Okay. So keep things simple as much as you can, and keep things structured as well. Okay. Make sure that you, your Seeso has a clear concept of what they are meant to be delivering and a clear structure and a clear operating model behind that.
So just as I'm, as I move towards towards the conclusion, I would like to leave you with some form of analysis grid to orientate the decision around the reporting line of the, so it's not meant to be an exact science, and I don't think it, it will ever be an exact science, but I'm trying to give you hints here and criteria to figure out what would be, you know, a good reporting line, or at least a good starting point in terms of, you know, how to discuss, how to approach the discussion around the reporting line of the CSO.
I think you need to consider crossing two factors on the left here, your cyber security maturity level, because that fundamentally is going to determine the nature of the work to be done. And behind that, the profile of the CSO themselves, if maturity is low in the current threat context, you cannot carry on. You need to start changing that you need to start improving on, on, on, on maturity. And your CSO will have to be fundamentally a change agent.
If you are already on your way, if you are, if you are already running some form of transformative program, your CSO probably needs to be some form of operational leader. And if you have achieved already a satisfactory degree of maturity, then you can imagine your CSO being, being a figurehead.
And that's the first dimension I think, to bear in mind in, in, in mapping the field, if you, then you need to consider the type of business you are and where is your key operational focus, whether it's on people, process technology, and what is the key information attribute you're trying to protect here? Is it confidentiality, integrity, availability in the classical sense if you want? So this is not, this is not a very, a very strict way of analyzing your profile of your business and your operations.
But again, it starts, it's a matter of, of finding orientations and, and finding ways of analyzing the problem and, and, you know, helping you move moves the determination of the best reporting line here. If you are in the healthcare business, you're probably going to be on the left here. If you're an online retailer, for example, you are probably going to be on the right. If you're a manufacturing business, you're probably going to be in the middle.
But the key here is to think about, you know, what, what does not only what the CSO is going to, to have to do, but in which context they're going to have to do it. Okay. And that's the idea here of, of, of the, of, of this analysis grid. Fundamentally, I think the two main takeaways here, if you want are, are at the top and, and on the right only consider a reporting line to risk or, or some form of full and proper second line positioning once your maturity allows it. Okay.
And that's the best bit in blue at the top, if maturity is low or rising, and if you need to drive change in some way or another, an operational reporting line is key. In my opinion, it's key to get things done and it's key to raising, to, to raising maturity. And those are essentially the two key takeaways here, I would say at the highest possible level on, on, on that grid. But it's only there to help you analyze your own situation and to, to help you map the field and to give you orientations again, do not take this as an exact science is not meant. It's not meant like that.
It's meant as a, as a way to orientate the discussion and help you think around the problem. So that's it for me, the nutshell I'm, I'm, I'm moving towards conclusion. Now I'm trying to summarize here on the few key takeaways, going back to a number of things.
I said, arbitration arbitrary considerations of duties cannot rule alone. If there is one thing ready to take away from me this afternoon, it's probably that reporting line of the system must be set positively to optimize execution and protection. It's a means to an end. It's a means to enable your cybersecurity practice, to deliver on its objective and keep things simple. As much as you can avoid a ablation because complexity simply breeds confusion and hinders action.
Of course, the objective of your cybersecurity function will be driven by your maturity levels and what you want to do around that with your business appetite, to change things around cybersecurity practices. And just to go back on what I was saying on the last slide, only consider reporting line to risk and some form of full second line of defense positioning in line with your own practice of the three lines of defense model.
Only consider it once maturity allows an operational reporting line will always be key to drive change and to get things done and to push maturity up and, and let's take us back. It takes us back to what I was saying at the start.
You know, the right reporting line is the one that's gonna work for you in that context. It's the one that's gonna work for you in that context period. That's it for me many. Thanks for listening to me this morning.
Of course, as I said earlier, if you want to be in touch, you got my details here on the screen, JC correspondence.com. If there are any questions on the chat, I'm gonna do my best to answer them.
Otherwise, feel free to reach out by email or, or any other way. And I'll be delighted to exchange with you if, if you have any questions or, or any comments really about the, about the session. Thanks again to all of you. Thanks again, to keeping a call for, for having me on the cyber security leadership send, send me one more time and I wish you very good rest of the day and a very good rest of the, of the conference, many things.