CISOs Emerge From CIOs’ Shadow

More companies are moving cybersecurity chiefs out of tech executives’ orbit to reduce risk of conflict of interest

Jamil Farshchi, chief information security officer of Equifax Inc., reports to the CEO. His predecessor reported to the chief legal officer.

Photo: Cate Dingley/Bloomberg News

Companies are moving to avoid internal conflicts of interest by requiring cybersecurity leaders to report to executives outside the technology group, including the chief executive.

香蕉视频苹果下载Experts say conflicts of interest can arise when chief information security officers report directly to chief information officers, who oversee broader technology decisions, because cybersecurity leaders are responsible for assessing risks associated with tech projects.

“You can’t govern your boss,” said Ryan LaSalle, managing director of Accenture PLC ’s security practice in North America.

Moreover, CISOs are now expected to communicate with chief executives, board members and leaders from different business units about cyber risks.

“The job has changed a lot from one of compliance enforcer to one of risk coach. That brings a different set of disciplines and skills required to navigate that shift,” Mr. LaSalle said.

A survey by Forrester Research Inc. ,香蕉视频苹果下载 polling companies with 1,000 employees or more showed that 35% of respondents said their cybersecurity leader reported to the CIO. That is down slightly from 38% in 2018.

At the same time, 18% said their company’s cybersecurity leader reported to the CEO or president, up from 16% in 2018, the survey found.

As corporate data breaches become more common, executives outside the technology group are more aware of cybersecurity risks to the business, said Paul McKay, a senior analyst at Forrester. Executives and board members, by giving CISOs more authority and making them peers of CIOs, will likely have more insight into their company’s cybersecurity defenses, he said.

With increased exposure to CEOs and boards, CISOs are now required to communicate more about cybersecurity risks in terms of how they affect the business, Mr. McKay said. Some CISOs struggle with the increased demands, he added.

香蕉视频苹果下载At companies that recently made changes, many CISOs now report to chief financial officers or chief operating officers, Mr. LaSalle said, adding that CISOs in financial-services firms frequently to report to chief risk officers.

It is now more common for CISOs to explain companies’ cybersecurity defenses to board committees or the full board, he added. Previously, other executives such as the chief financial officer might have handled such presentations to the board.

“The role of the CISO has become less and less technical,” said Myrna Soto, chief operating officer at cybersecurity firm Digital Hands, speaking at December’s WSJ Pro Cybersecurity conference in New York.

One prominent company that changed its CISO’s reporting lines is Equifax Inc. The credit-reporting agency made the move as part of a focus on cultural changes after the 2017 data breach that exposed personal information from nearly 150 million consumers, CISO Jamil Farshchi told WSJ Pro Cybersecurity in an interview this summer.

Mr. Farshchi, who took on the role in February 2018, reports to CEO Mark Begor. Equifax’s former chief security officer reported to the company’s chief legal officer.

Cybersecurity executives often juggle several different jobs. CISOs’ responsibilities include defending companies against hackers, ensuring different business units follow security rules and setting policies to make sure operations continue in case of cyberattacks.

Thomas Keisu, CISO of Swedish construction giant Skanska AB, reports to the company’s CIO but also has a “dotted line” reporting relationship to the company’s general legal counsel. Mr. Keisu, the CIO and the top lawyer all work at Skanska’s headquarters in Stockholm.

香蕉视频苹果下载“It’s a hybrid role,” Mr. LaSalle said. “It means it’s kind of hard to find the right place for them.”

Write to Catherine Stupp at Catherine.Stupp@wsj.com