This chapter is very important. We will aim to understand how a secure organization structure can be established. Generally, we denote the board of directors with the CEO. He is the person who takes all decisions because he is the Chief Executive Officer.  Instead of reaching board of directors again and again we’ll simply reach the CEO.

by the way… previous article was organizational processes

Now, who will be the in charge or the head of information security? The responsibility here is generally given to the CISO – Chief Information Security Officer.

Responsibilities of CISO includes pretty much everything that we do in information security. So he will be responsible for maintaining the security of the organization. He will mainly be interested in Coordinating with all various departments and Framing Policies, Procedures, Rules, Guidelines, Baselines, etc.

Sending them to the CEO or the Board and then further once approved, Managing, Implementing, and continuously Improving all these.  The main work to keep the organization safe. But the problem here is that where does this role stand in the organizational structure?

I would also recommend you to understand Goals Mission and Objectives

 How will we communicate with the CEO if we need to?

If you directly communicate with the CEO that will be good. So as from the security point of view, you are communicating with the person who has most of the authority and he can take action at the correct time.

But the main problem here is that the CEO is not free for information security. You know he is a busy person. He is not going to listen to each and everything you want to tell him as he has a lot of work to do. You will have to limit yourself and actually, that can cause security issues.

There is one more possibility that you add one level between the CEO and CISO. Now the problem is which level it will be?

Most of the companies think that information security is still a part of information technology. They prefer to put Chief Information Officer – CIO between both of these. This gives many benefits because CIO is a technical person, he knows everything, he can understand you and he can communicate most of the things to the CEO and also he can make some decisions for us.  The main problem here is that CIO is responsible for managing the IT functions. So sometimes he will ignore the information security purposes because he may think that information security is just a part of IT that stops an efficient and IT function. It is just like having a burden on IT and that’s a problem with this model.

May be you should also read Types of Security and How Do You Define Security?

What else we can do?  Maybe we can remove the CIO and we can add some other department.

For Example: we may go with the Legal Department of the company. They study Information Security as a part of Compliance and various Laws. So to some extend it is very good to stay under them, but the problem here is that if Legal Department is above us, then maybe we will also have to listen a lot to them. So we might be just working with the compliance checks and audits only

Another Example: Maybe we can report directly to the Chief Risk Officer – CRO now here the problem is that CRO may have a non-technical background, he may simply be from a financial background and not understand us properly, or he may not be able to communicate effectively with CEO in terms of InfoSec. So that can cause some problems.

The same will occur with the Audit Department, Administrative Services Department, Physical Security Department, etc.

So deciding this one level is very hard. But when you’re talking about having two levels between CEO and the CISO. That’s going to be Way More Harder!

So security may get compromised in having two levels between the top management and the CISO because of the Filtering, so there is one person above you and then you report something to him. There is one more person above him. He reports to him and finally, that report goes to CEO and in this process. Information may get filtered.

Also it may get Delayed or simply Ignored. So This is not Advisable.

Which department will be in the middle of the CISO and the CEO?

That will depend on what are the goals and the resources available to the organization. What are the Policies, the Strategies, Vision or even the Mission of the organization? It will completely depend on that. But the legal department is a really good option and having the independent department for the CISO is also good. CIO will be in the middle in most of the companies because of the old thinking, but everything has its own strengths and weaknesses. This is how the Roles and Placement of a secure organization can be done.

We still need to cover various other roles who will be working under CISO so let’s do that in next chapter,
till then… check some of my free courses at

p.s. this article is a part of my Last Week CISSP Series