NewslettersCIO Intelligence

Why CISOs should report to the CEO—and not the CIO

By John KellContributing Writer and author of CIO Intelligence
John KellContributing Writer and author of CIO Intelligence

    John Kell is a contributing writer for Fortune and author of Fortune’s CIO Intelligence newsletter.

    SEE FULL BIO
    Who chief information security officers report to can have a huge impact on a company.
    Who chief information security officers report to can have a huge impact on a company.

    One in five chief information security officers report directly to their CEO. Andy Ellis says that’s not nearly enough. 

    “It’s really about being in the room where it happens,” says Ellis, operating partner at YL Ventures, an American-Israeli venture capital firm that specializes in cybersecurity investments. Ellis has personal experience in the field, previously as chief security officer at cloud and security firm Akamai Technologies for nearly a decade.

    Ellis asserts that the CISO must have a seat that’s level with leaders who manage IT, legal, and finance and that by working directly with the CEO, a company’s top cyber expert can be empowered to strategize with a cyber-first mindset when a business pursues new ventures, rather than cleaning up messes after they occur. 

    If for some reason the CISO is unable to report to the CEO, the next best person is the chief technology officer, according to Ellis. A survey by YL Ventures, based on interviews with 50 cybersecurity executives, found that roughly 16% have that reporting structure in place. A quarter of CISOs report to the chief information officer, which Ellis says creates “unhealthy tension.” 

    That’s because the roles don’t neatly overlap and could result in conflict when a CISO is trying to implement cybersecurity governance across a company’s entire technology stack, while at the same time, their boss may only oversee enterprise IT.

    Ellis then makes a controversial call. He says with so much technology being outsourced to vendors, startups are finding they don’t even need a CIO any more, as software management and gadget services can be easily handled by an IT director. The CIO, he argues, is “not a C-level position anymore.”

    Gerhard Eschelbeck, CSO at autonomous trucking startup Kodiak Robotics, says he reports to the CEO because cybersecurity is more than an IT issue; it is an enterprise-wide business consideration. “We have seen a major shift towards cybersecurity being an executive-level topic, and the CISO should be driving these discussions,” says Eschelbeck.

    What may be holding CISOs back from a more prominent C-suite role is that they are overly focused on saying “stop” to ensure adequate security protocols. CEOs aren’t keen to hear “no” when they want to move forward with an exciting new venture. 

    CISOs should also be bolder and more precise about the data they report to the C-suite and board. Ellis says the industry lacks standardization in metrics and that the details they do share, like how many employees clicked on a suspicious link, aren’t particularly insightful. That would be like the finance department sharing how many people had a mistake in their expense report.

    “It needs to come up a level and it needs to be more consistent and more actionable,” says Ellis, who advocates for CIOs to have “a little more moral courage to be able to stand up and say how we’re building our technology stack is the problem. People are not the problem.”

    Mandy Andress, CISO at search software provider Elastic, says generative AI is being used by bad actors to increase the volume of threats, such as phishing emails, and their sophistication. In response, Elastic has improved “real and engaging” training, she said, which includes creating awareness videos that feature actual employees rather than generic corporate cartoon characters.

    YL Ventures’s report also found that 43% of respondents are increasing their cybersecurity budgets in 2024. Nearly 26% reduced cybersecurity spending, while 23% kept spending flat. But with big data breaches recently affecting AT&T, car dealership software provider CDK Global, and as many as 165 customers of business software maker Snowflake, the question remains: Is that spending enough? 

    “Probably not,” says Ellis, who blames cautious spending on a choppy economy and the presidential election year. “Next year, I think people will have a lot more certainty and these budget numbers will move up.”

    John Kell

    Send thoughts or suggestions to CIO Intelligence here.

    NEWS PACKETS

    CIOs look for AI investments to fuel top-line growth. A survey conducted by KPMG showed that revenue generation has overtaken productivity as the primary measure of success to determine artificial intelligence's return on investment, topping improved decision-making and productivity gains. The shift in thinking is notable as CIOs move from pilot to production for AI, with some hoping the revenue from AI use cases will start to show up in earnings reports in 2025 or the year after. One area of focus for many leaders is AI-powered tools that promote more personalized recommendations, though it is still too early to say if these features are meaningfully altering consumer patterns to spend more online.

    AT&T hacked and paid to erase sensitive data. In what is likely one of the largest data breaches of 2024, AT&T disclosed hackers had obtained phone call and text message records of nearly all of the company’s cellular customers, a hack that occurred in April and impacted customers in a six-month period in 2022, and on Jan. 2, 2023. Bloomberg reported that AT&T then paid about $400,000 to the hacker to erase the data that was stolen, a sum that’s relatively small, but likely because no financial records were involved in the hack.

    Google eyes Wiz deal to give cloud a lift. The Wall Street Journal reports that Google parent Alphabet is in advanced talks to buy cybersecurity startup Wiz for around $23 billion, an acquisition that would be the company’s largest ever. Wiz, which achieved $350 million in annual recurring revenue in 2023, offers cybersecurity software for cloud computing and would help boost Alphabet’s efforts in cloud computing. Cloud is a key growing business for Google, but the company ranks a distant third in the market to Amazon’s AWS and Microsoft Azure.

    ADOPTION CURVE

    AI on a budget. A report by Japanese conglomerate Hitachi found that 96% of the 800 IT and business leaders surveyed favor cheaper generative AI alternatives over proprietary large language models, which come at a steep cost due to the investments needed to support compute, energy usage, and engineering talent. 

    CIOs and other tech leaders are uncertain about the high costs associated with deploying generative AI, with much of the concern centering on clear ROI. Rather than lean on proprietary LLMs, more IT executives say they are using lower-cost options including commercial and off-the-shelf solutions (37%). That was followed by open source with customization (31%), which are AI models built to address a specific use case, and then off-the-shelf open source (20%), AI models that are generally free to use.

    JOBS RADAR

    Hiring:

    - NASA is seeking a chief information officer for its research lab, based in Greenbelt, Md. Posted salary range: $205.2K-$211.6K/year.

    - Forrester, a research and advisory firm, is seeking a VP, CIO executive partner, based in Cambridge, Mass.

    - Earthjustice, a nonprofit environmental law organization, is seeking a CTO based in San Francisco. Posted salary range: $252.8K-$295.6K/year.

    Hired:

    - Hasbro announced Dan Shull has joined the toy maker as chief digital information officer, bringing 25 years of Fortune 500 industry experience with roles at Signet, Nike, and Borders. He previously served as chief technology officer at REI, and at Hasbro, he will oversee the digital and IT strategies.

    - Macy’s has named Keith Credendino as CIO, effective Aug. 4, after previously serving as SVP at the department store retailer since 2022. Credendino has also been an executive at Inspire Brands and InterContinental Hotels Group.

    - Canada Goose appointed Alfredo C. M. Tan as CDIO, effective Aug. 7, and taking over for Matt Blonder who will be departing the apparel company. Tan joins Canada Goose from Loblaw Companies, where he was SVP and managing director of the retail media division.

    - Howard Hughes Holdings named Bhupesh Arora as CTO to oversee the real estate development company’s technology strategy and operations. Arora was most recently VP of IT at Magellan Midstream Partners.

    - Jasper, an AI copilot developed for marketing teams, announced the appointment of Melody Meckfessel as CTO. Meckfessel previously spent over a decade at Google as VP of engineering and most recently cofounded and was CEO of Observable.

    - MicroAge appointed Tim McCulloch as CTO, succeeding Pete Schmitt, who is retiring after 23 years at the company. McCulloch initially joined MicroAge in 2022, and as CTO will oversee the tech firm’s IT strategy, AI and machine learning roadmap, and cybersecurity practice.

    - Inventis has named Michael Moore as CTO, ascending to the role after joining the event and venue planning software provider in 2020 as a principal software engineer.

    This is the web version of CIO Intelligence, a weekly newsletter on the tech, trends, and news IT leaders need to know. Sign up for free.