CISO reporting relationship survey from CIO listserv

[Brian Kelly <bkelly () EDUCAUSE EDU>]

Sharing Mark’s email below as a cross post from the CIO list and adding input from Leah Lang and EDUCAUSE CDS data.
Brian


We recently published a 2019 Information Security 
Almanac<https://library.educause.edu/resources/2019/4/the-educause-information-security-almanac-2019> using CDS data.  
In here you’ll find that

83% of dedicated, full-time information security leaders report to the Highest-ranking IT administrator/officer (e.g., 
CIO) in central IT
4% report to an other IT manager
3% report to the director of networking

When speaking more broadly about the person with primary responsibility for information security (both full-time and 
part-time roles), here’s how the reporting lines fall (image from the CDS portal using All U.S. nonspecialized 
institutions): Around 63% of individuals with primary responsibility for information security report to the CIO (up 
from 60% in 2016).  Around 10% of individuals with primary responsibility for information security report to the 
president – I’m guessing these are CIOs who have primary responsibility for information security among their other 
responsibilities.

It’s the end of May so we’re ramping up for our July 2019 launch of the EDUCAUSE Core Data Service 
(CDS)<http://www.educause.edu/coredata>.  I hope you’ll all consider contributing to this valuable resource!

[cid:image001.png@01D5122A.E9879180]


Leah Lang
Director of Analytics Services

EDUCAUSE<http://www.educause.edu/>
Uncommon Thinking for the Common Good
direct: 303.939.0339 | main: 202.872.4200 | fax: 202.872.4318 | educause.edu<http://www.educause.edu/>
Twitter: meahlarie

Enhance decision making with the EDUCAUSE Core Data Service (CDS)<http://www.educause.edu/coredata> and EDUCAUSE 
Technology Research in the Academic Community (ETRAC)<http://www.educause.edu/etrac> - benchmarking data to inform IT 
planning.

Become an EDUCAUSE Ambassador
Program Details<https://www.educause.edu/about/discover-membership/educause-ambassador-program> – Connect colleagues 
with resources


From: The EDUCAUSE CIO Community Group Listserv <CIO () LISTSERV EDUCAUSE EDU> On Behalf Of Mark Roman
Sent: Sunday, June 2, 2019 9:52 PM
To: CIO () LISTSERV EDUCAUSE EDU
Subject: Re: [CIO] CISO reporting relationship

Thanks for all the responses to the CISO reporting relationship question.

I’ve compiled the answers to the question posed on the EDUCAUSE and CUCCIO (Canadian) list-serves in the attached 
spreadsheet and the overall results are shown in the chart below. Of the 51 responses received, 88% reported the CISO 
or equivalent reporting directly into the CIO. Some institutions had their CISO or equivalent report to a level below 
the CIO, such as a Director, and one respondent reported outside of IT. 6% of the respondents reported not having a 
CISO, but in each case they are working towards a shared CISO in their region.

[cid:image001.png@01D51960.855CE470]

There were also several interesting links suggested so I have copied them here for anyone interested in investigating 
further:

EDUCAUSE CISO studies
https://library.educause.edu/resources/2019/1/the-higher-education-chief-information-security-officer-study-reports-2014-2017

EDUCAUSE 2019 Information Security Almanac
https://library.educause.edu/resources/2019/4/the-educause-information-security-almanac-2019

EDUCAUSE CDS 2015
https://library.educause.edu/~/media/files/library/2016/3/ewg1601.pdf

European Benchmarking
http://www.eunis.org/task-forces/benchmarking/<https://nam03.safelinks.protection.outlook.com/?url=http%3A%2F%2Fwww.eunis.org%2Ftask-forces%2Fbenchmarking%2F&data=02%7C01%7C%7Ca87503d414284a99342508d6e839667a%7Cdd4b037fe626495db0170cc0f7dddb37%7C0%7C0%7C636951730572332307&sdata=EqjRy7LA8A9Mzv57sLjxFfSKYw9n4WqHe0k1s2Nc2cw%3D&reserved=0>

Georgia Tech Governance of Cyber Security Report
https://www.paloaltonetworks.com/resources/techbriefs/governance-of-cybersecurity.html<https://nam03.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.paloaltonetworks.com%2Fresources%2Ftechbriefs%2Fgovernance-of-cybersecurity.html&data=02%7C01%7C%7Ca87503d414284a99342508d6e839667a%7Cdd4b037fe626495db0170cc0f7dddb37%7C0%7C0%7C636951730572342299&sdata=LeIi8%2BzMAvTBJMnCElxdHaragJNMVb491yE0CK0Xq3E%3D&reserved=0>

Discussion blog
https://blogs.wsj.com/cio/2015/02/06/data-breaches-spark-debates-on-ciso-cio-dynamic/<https://nam03.safelinks.protection.outlook.com/?url=https%3A%2F%2Fblogs.wsj.com%2Fcio%2F2015%2F02%2F06%2Fdata-breaches-spark-debates-on-ciso-cio-dynamic%2F&data=02%7C01%7C%7Ca87503d414284a99342508d6e839667a%7Cdd4b037fe626495db0170cc0f7dddb37%7C0%7C0%7C636951730572352295&sdata=Z1GGr1l6H96jo2jjRcautZNypIkzfvp9w%2BrNZvIf52k%3D&reserved=0>


Mark Roman
Chief Information Officer
Simon Fraser University | Strand Hall 3166
8888 University Dr., Burnaby, B.C. V5A 1S6
778.237.0135 | sfu.ca/itservices
Twitter: @sfu_it

[cid:image004.png@01D51960.855CE470]
I respectfully acknowledge that SFU is located on traditional territories of the Coast Salish peoples of the Musqueam, 
Squamish, and Tsleil-Waututh Nations.



From: The EDUCAUSE CIO Community Group Listserv <CIO () LISTSERV EDUCAUSE EDU<mailto:CIO () LISTSERV EDUCAUSE EDU>> On 
Behalf Of Mark Roman
Sent: May 24, 2019 8:35 AM
To: CIO () LISTSERV EDUCAUSE EDU<mailto:CIO () LISTSERV EDUCAUSE EDU>
Subject: [CIO] CISO reporting relationship

We have been having an interesting conversation at our institution about where the CISO should report. In your 
institution, does the CISO report to the:


  1.  CIO?
  2.  Below the CIO (such as a Director)?
  3.  Outside of IT?

Is anyone aware of any research in higher ed about CISO reporting relationships?


Mark Roman
Chief Information Officer
Simon Fraser University | Strand Hall 3166
8888 University Dr., Burnaby, B.C. V5A 1S6
778.237.0135 | sfu.ca/itservices
Twitter: @sfu_it

[cid:image004.png@01D51960.855CE470]
I respectfully acknowledge that SFU is located on traditional territories of the Coast Salish peoples of the Musqueam, 
Squamish, and Tsleil-Waututh Nations.


********** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found 
at http://www.educause.edu/discuss.
********** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found 
at http://www.educause.edu/discuss.

Attachment: CISO Survey.xlsx
Description: CISO Survey.xlsx