cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
EGYPUT
Newcomer I

ROLES HIERARCHY

any reference for roles hierarchy? like who is the boss of whom?

for instance who is the boss of CAE? CISO, CEO, CIO or CFO

i am looking for all roles involved in the CISSP area of interest. 

1 Reply
JoePete
Advocate I

You will find job titles and responsibilities vary widely. We tend to throw the word "officer" around quite cavalierly. Keep in mind that the word "officer" can have certain legal and insurance ramifications.

 

Breaking down, your question:

CEO - Chief Executive Officer. I am sure there are many that are, but I have never come across one that is a CISSP. Typically all employees report up through management to the CEO, who in turn reports to the board (and may be a member of the board). Sometimes, the CEO is also the corporate president (a legally mandated officer), meaning they chair the board and corporate meetings.

 

CFO - Chief Financial Officer. It would probably be rare to find a CISSP in this role. Sometimes you have a CFO report directly to the board. You can think of it this way: The CEO is responsible for spending money; the CFO is responsible for the accounting. Separate reporting lines guard against something untoward. That said, I think you will find many CFOs actually report to the CEO. CFOs might also be the corporate treasurer (another legally mandated officer).

 

CIO - Chief Information Officer. I think you find a number of CISSPs in this role these days. I have never come across a CIO that reported directly to the board. Many report to the CEO. In some cases, you might have one reporting the COO (Chief Operating Officer) or CFO. The tendency is that boards perceive a problem, and then create an elevated-sounding title (like CIO) to convey they are taking it seriously. Or sometimes you see a groundswell (employees say we need more representation at the top) and lobby to have something like a CIO. The title basically came about in the 1980s when information resources were entering the workplace and CEOs, CFOs, and COOs weren't equipped to manage them.

 

CISO - Lots of CISSPs here. I've seen CISOs report all over the place including to general counsel. The title came about in the 1990s as cybercrime became more prevalent. You can find CISOs reporting all over the place. Rarely do they report directly to a board although you might have a CISO report to general counsel (who is often the corporate secretary).

 

CAE - Chief Audit Executive? I'm not very familiar with that role.

 

Overall, I think the danger with our "officer" fascination is we tend to create silos. They're great for fixing the problem in front of us, but long term, especially with security, is you want to see these functions integrated into normal operations.