It’s been suggested that Chief Information Security Officers (CISOs) must report to the agency head to be effective, instead of reporting to the Chief Information Officer (CIO).
One of the reasons given is that:
“Such an organizational construct reduces cybersecurity to a mere IT security problem, ignoring the growing importance of cybersecurity’s reach across all of the personnel, physical and cultural strata of an agency’s makeup, not to mention its grander organizational privacy, risk management and compliance obligations. Congress seems to believe that the often politically appointed CIO with myriad budget-cutting and help desk headaches is the appropriate senior official under whom to subordinate the critically important and growingly complex cybersecurity portfolio.”
The agency head is actually more likely to be a political appointee than the CIO, and the agency head has even more concerns than the CIO: cybersecurity is likely to get less attention from the head than from the CIO.
Furthermore the crosscutting nature of security still remains if the CISO reports to the agency head. The CISO would still need to coordinate with the people responsible for “the personnel, physical and cultural strata”. Unless, of course, all those people are made to report to the CISO – creating even more of a distraction from security.