Journal of International Technology and Information Management

Document Type



The proliferation and embeddedness of Information Technology (IT) resources into many organizations’ business processes continues unabated. The security of these IT resources is essential to operational and strategic business continuity. However, as the large number of recent security breaches at various organizations illustrate, there is more that needs to be done in securing IT resources. Firms, through organizational structures, usually delegate the management and control of IT security activities and policies to the Chief Information Security Officer (CISO). Nevertheless, there seem to be a number of firms without a CISO and for the ones that do, there is little consensus regarding who the CISO should be reporting to. This exploratory study investigates the organizational security reporting structures using a dataset of all the firms that hired a CISO between 2010 and 2014. The results suggest that the number of firms hiring CISOs is increasing and that the hired CISOs are predominantly coming from outside the firm. Also, CISOs who are hired to fill newly created positions tend to report to the CEO whereas replacement hires for existing positions tend to report to the CIO. These findings have implications for both academics and practitioners.