Cyber security and the evolving role of the CISO

In larger enterprises I see CSO/CISO roles reporting to the COO or CFO, sometimes CEO. Treating security as a subset of ‘IT’ by having a CISO reporting to CIO doesn’t give the correct level of priority…:
[…] According to Wipro’s third annual State of Cybersecurity Report (SOCR), participating companies identified reputational damage to the brand (64 percent) and loss of revenue due to services being unavailable at critical times (62 percent) as the two things that would have the biggest impact.
The report also found that email phishing (79 percent) and employee negligence (72 percent) were identified as the two biggest security risks faced by the organisations surveyed. Tellingly, both are the result of human error rather than external attacks, but can be traced back to a company’s data security policies and guarded against by developing a culture of awareness around cyber-security.
As a result, the role of the Chief Information Security Officer has gradually risen in prominence. An increasing number of CISOs now report directly to their company’s CEO, rather than the CIO. In fact, in the communications industry, 47 percent of CISOs have the ear of the CEO compared to the 30 percent that still answer directly to the CIO.
In BFSI and energy, natural resources and utilities, this difference is much smaller. Health and consumer still have a way to go, while just five  percent of CISOs in manufacturing industries answer to the CEO. Evidently there is scope for change, although with the perhaps more forward-thinking communications industry setting an example, we may well see the balance start to shift in others too.

Original article here