The Healthcare CISO: A Review of Reporting Relationships

In healthcare's increasingly security-conscious environment, the chief information security officer has become the key executive in ensuring healthcare data, technologies, and, ultimately, patient safety are protected. As a leader who works with colleagues from the bedside to the board of directors, the CISO is one of the most visible and important technology leaders in a health system.
 
A critical conversation my colleagues and I typically have with organizations looking to recruit CISOs relates to reporting structure. To whom should a CISO report? What is best practice and what would be most effective for each specific organization?  
 
This article looks at the most common reporting structures for the CISO role. I drew insights from a survey of healthcare CISOs conducted by our team as well as in-depth conversations with leading healthcare information security officers. I focus on pros and cons of each structure and share thoughts on how organizations can make each scenario work for them.  
 
Reporting to: Chief Information Officer/Chief Digital Information Officer
 
Pros: 
• The biggest pro for this structure is the alignment of the CISO with technology resources. In this scenario, the CISO will most often have governance, risk, and compliance oversight, but will also have the hardware and security technology teams directly reporting to them, ensuring technology needs are met. 
• This structure ensures that security strategic planning is intertwined with the organization's digital and technology strategy. This is especially helpful when considering major system selections facilitated by the IT organization. Having the CISO report to the CIO ensures that the CISO and their team are integrally involved in the assessment of potential vendors for major systems early in the process.  
• For less experienced CISOs, this structure allows them to be mentored by a more experienced executive in the CIO. This is especially important when considering it has become more common for CISOs to provide reports to the Board of Directors on a regular basis.   
 
Shortcomings:
• Some industry leaders point out that, while this structure does align resources, it can also create potential conflicts in those instances where the CISO needs to push back on technology initiatives for security reasons. Having the CISO reporting to the CIO means that the leader may feel less inclined to challenge their boss about a certain software or vendor partner or resource allocation. 
 
Making It Work: Ensure the CISO and CIO have a strong working relationship and there is room for healthy friction between technology strategy and security needs.
 
Reporting to: Chief Legal or Compliance Leader
 
Pros:
• The biggest potential pro here is the independence it may allow the CISO from the technology organization. In this structure, the CISO often feels they have more autonomy to candidly assess the technical security environment of the health system and the state of its preparedness and technology infrastructure.  
• By aligning with legal and/or compliance, it often means that the information security leader owns the governance, risk, and compliance functions of the role but that the security technology team remains in the CIO domain and is often run by the CTO or another leader. This allows the CISO to be much more strategic in their planning because they are less bogged down by the day-to-day minutiae of keeping the program running. 
• For the Board, this structure means the CISO will have more autonomy in giving a candid assessment of organizational posture related to information security. 
 
Shortcomings:
• In order for this structure to be effective, the CISO must have a stronger executive skill set than if they reported directly to the CIO. As the CISO will have less direct span of control over the technology, the leader in this structure must rely on their ability to develop relationships with peers and drive others toward a common goal through facilitation and consensus. It is a much more difficult task than when the CISO is part of the IT organization and directly oversees those teams. 
• Along these lines, this structure can create a misalignment of technology resources if there is not a tie back into the IT organization. 
 
Making It Work: Foster strong communication and collaboration between the CIO and CISO, both through formal channels (governance) and informal channels through collaboration of the teams. 
 
Reporting to: CEO/COO or other executive
 
Pros:
• In our national survey, this structure was relatively uncommon but it is still worth noting. CISOs who report directly to the CEO or as a part of the COO team say they have the greatest level of autonomy in their assessment efforts of the organization and providing candid judgement on the cybersecurity program. 
 
Shortcomings:
• Reporting to the CEO or COO as the CISO often means acting more as the top internal auditor for IT. This means that, while the individual has the ear of the CEO, they often lack the resources to make significant change. This can quickly create misalignment of resources. 
 
Making It Work: In this model, empower the CISO to create relationships across the entire C-suite team in order to be effective. The information security leader in this structure must be highly effective at leading through driving consensus.
 
Reporting to the Board of Directors: While a structure that is sometimes seen in financial services and banking, a CISO reporting directly to the board is highly irregular in healthcare. Due to very specific regulations in financial services and the fact that the product is monetary, what is and is not allowed to protect data and systems is often very black and white. This is not the case in healthcare where information security programs have to take people (patients, physicians, and various stakeholders) into greater account. As a result, healthcare requires a more clearly articulated risk-based strategy, with CISOs more effective as part of the chain of leadership.   
 
Final thoughts
 
Every organization is unique in how it effectively structures and positions information security leadership. While reporting to the CIO is often the default relationship in healthcare today, other scenarios like reporting to legal/compliance, the CEO, or even the Board can make sense as well.  For now, the one constant across all structures is that the CISO is firmly a member of the senior leadership team in healthcare systems and will require an experienced executive with broad skills to manage the organization's cybersecurity program effectively. 
 
Zachary Durst is a recognized expert in the recruitment of healthcare CIOs and Chief Digital Officers as well as industry executives in the areas of information security, biomedical informatics, and data analytics. Since joining WittKieffer in 2013, Zach has led and supported searches for more than 180 clients across the U.S. Active professionally and a frequent speaker and writer on healthcare IT leadership, he has spoken and led conversations among CIOs and IT leaders at events hosted by the College of Healthcare Information Management Executives (CHIME), Healthcare Information and Management Systems Society (HIMSS), and Association of Medical Directors of Information Systems (AMDIS).