While the Chief Information Security Officer (CISO) position is clearly on the rise, what remains unclear is the role itself and where it should fit within the organization.

For a partner, a key indicator of that role for sales conversations with CISOs is who that person reports to in the organization, John Ford, principal and founder at Tampa, Fla.-based Sienna Group said on a panel at IT Security University held at XChange 2015 and hosted by CRN parent company The Channel Company. 

The CISO often reports up into one of three areas: financial under the CFO, technical under the CIO and to the CEO directly. Those three reporting structures indicate different priorities, the panel agreed.

"A lot of it comes down to the perception of IT within the company and what the company is worried about and where it perceives risk," Roger Hale, senior director of information security for The Lending Company, said. Hale said in his career he has reported to the COO, president, CFO and CIO.

If the CISO reports to the CFO or other financial executive, Ford said that signals that they are compliance focused, not directly security focused.

"Security and compliance are not the same thing. You can be absolutely compliant and horribly insecure," Ford said.

On the flip side, Ford said if the CISO reports to the CIO then they are more focused on projects that enable the business, as their salary is tied to the IT budget.  

One other option for the CISO's position within the organization is to have all of IT reporting up into the CISO, instead of the other way around. That is a trend that is on the rise, Hale said, with big companies such as Booz Allen Hamilton jumping on board.

One reason that trend could be on the rise is that the CISO role should be a horizontal role across the organization, not a vertical one, Bobby Dominguez, chief strategy and security officer at Lynx Technology Partners, said on the panel.

"The CISO role is horizontal. If you are a vertical underneath IT, you're not doing your job right," Dominguez said. "You have to think of yourself as a horizontal. The evolution of IT is not a group...I see the IT role being one of a service broker."

 The reason for that, Dominguez said, is that security challenges such as shadow IT and application integration stretch across organization stacks. A good CISO, he said, will go to each of these lines of business, introduce themselves and ask what their pain points are that cause them to evade security measures.

"I don’t think it really matters whether you come from a technology or more of a business background. What matters is you have to be able to solve problems, you have to be passionate about it," Dominguez said. "That’s business enablement and, by learning that, I can start establishing my strategy. You have to be a people person, not a technology person."