Description

The last couple of years have witnessed a proliferation and embeddedness of IT resources into many organizations’ business processes making the reliability/security of these IT resources important in guaranteeing business continuity. Through organizational structures, firms usually delegate the decision making rights for the IT security activities and policies to an officer who in many cases is referred to as the Chief Information Security Officer (CISO). However, it is not very clear who the CISO should be reporting to. Using the agent-principal theory, this study seeks to investigate how the interest(s) of the CEO(s) affect the decision-making discretion that CEOs give to the CISOs. Using an objective data set of firms that hired a CISO between 2007-2014 this study seeks to find out if there are any significant differences in financial gains/losses and business downtime between firms that have their CISOs report to the CEOs or other non-CIO TMT members

Share

COinS
 

Who Should the Chief Information Security Officer Be Reporting To?

The last couple of years have witnessed a proliferation and embeddedness of IT resources into many organizations’ business processes making the reliability/security of these IT resources important in guaranteeing business continuity. Through organizational structures, firms usually delegate the decision making rights for the IT security activities and policies to an officer who in many cases is referred to as the Chief Information Security Officer (CISO). However, it is not very clear who the CISO should be reporting to. Using the agent-principal theory, this study seeks to investigate how the interest(s) of the CEO(s) affect the decision-making discretion that CEOs give to the CISOs. Using an objective data set of firms that hired a CISO between 2007-2014 this study seeks to find out if there are any significant differences in financial gains/losses and business downtime between firms that have their CISOs report to the CEOs or other non-CIO TMT members