No items found.

Who Should the CISO Report To?

Insights
October 2, 2024
2
min read
by
Matthew Schulman

Is It a red flag if your Chief Information Security Officer (CISO) doesn’t report to the CEO? If you are a CISO or Head of Security, should you have a preference for reporting to the CEO or to the CTO/main R&D leader?

Let's explore Pave's dataset to see how companies approach this by stage.

CISO Benchmarks from Pave

𝗘𝗮𝗿𝗹𝘆 𝘀𝘁𝗮𝗴𝗲: 𝗖𝗘𝗢. At early stage tech companies, the CISO/Head of Security reports to the CEO ~70% of the time.

𝗟𝗮𝘁𝗲𝗿 𝘀𝘁𝗮𝗴𝗲: “𝗶𝘁 𝗱𝗲𝗽𝗲𝗻𝗱𝘀”. At later stage tech companies, the CISO/Head of Security reports to the CEO about a third of the time, to the CTO/equivalent about a third of the time, and to “Other Execs” about a third of the time.

Regardless of reporting structure, I agree that "it’s really about being in the room where it happens," a quote from Andy Ellis, operating partner at YL Ventures, a venture capital firm that specializes in cybersecurity investments.

What are your thoughts or suggestions to set up your CISO/Head of Security up for success? Let me know on LinkedIn.

Want to hear more from Pave? Subscribe to Pave's newsletter for the latest expert resources and insights directly to your inbox.

Learn more about Pave’s end-to-end compensation platform
Sign up for freeRequest demo
Matthew Schulman
CEO & Founder
CEO and Founder of Pave

Become a compensation expert with the latest insights powered by Pave.

Related articles

Insights

What is the Average Span of Control Benchmark?

October 7, 2024
4
min read

Is your company’s org chart top heavy or bottom heavy? Are your managers spread too thin, or could they take on more direct reports? Let's look at the data on span of control.

Insights

Founder CEO vs. Founder CTO Refresh Grants – Who Gets More of the Pie?

October 1, 2024
2
min read

Are Founder CEOs getting more than their Founder CTO counterparts when it comes to equity refresh grants? Explore the data on equity participation and equity refresh grant size.

Insights

The Gender Pay Gap: Normalized vs Adjusted

September 30, 2024
3
min read

When we talk about gender pay gaps, are we really getting the full picture? Let's dive deeper into the differences between the "raw" and "normalized" gender pay gap in the USA tech sector.

Solutions
Market DataCompensation WorkflowsCommunication
Product
BenchmarkingMarket PricingCompensation PlanningTotal RewardsVisual Offer Letter
Resources
BlogPave Data LabWebinarsCase StudiesGuidesHelp CenterIntegrations
Company
PricingCustomersAboutCareersSecurity & PrivacyPress RoomContact Support
Legal
Privacy PolicyTerms of UseService Terms
Fulfillment PolicyMaster Subscription Agreement
Built in San Francisco, CA
© Copyright 2023

Pave's successful SOC 2 Type 2 report was issued by the Johanson Group and is actively monitored by Drata.

(function (h, o, t, j, a, r) { h.hj = h.hj || function () { (h.hj.q = h.hj.q || []).push(arguments) }; h._hjSettings = { hjid: 2412860, hjsv: 6 }; a = o.getElementsByTagName('head')[0]; r = o.createElement('script'); r.async = 1; r.src = t + h._hjSettings.hjid + j + h._hjSettings.hjsv; a.appendChild(r); })(window, document, 'https://static.hotjar.com/c/hotjar-', '.js?sv='); !function () { var analytics = window.analytics = window.analytics || []; if (!analytics.initialize) if (analytics.invoked) window.console && console.error && console.error("Segment snippet included twice."); else { analytics.invoked = !0; analytics.methods = ["trackSubmit", "trackClick", "trackLink", "trackForm", "pageview", "identify", "reset", "group", "track", "ready", "alias", "debug", "page", "once", "off", "on", "addSourceMiddleware", "addIntegrationMiddleware", "setAnonymousId", "addDestinationMiddleware"]; analytics.factory = function (e) { return function () { var t = Array.prototype.slice.call(arguments); t.unshift(e); analytics.push(t); return analytics } }; for (var e = 0; e < analytics.methods.length; e++) { var key = analytics.methods[e]; analytics[key] = analytics.factory(key) } analytics.load = function (key, e) { var t = document.createElement("script"); t.type = "text/javascript"; t.async = !0; t.src = "https://cdn.segment.com/analytics.js/v1/" + key + "/analytics.min.js"; var n = document.getElementsByTagName("script")[0]; n.parentNode.insertBefore(t, n); analytics._loadOptions = e }; analytics.SNIPPET_VERSION = "4.13.1"; analytics.load("0KGQyN5tZ344emH53H3kxq9XcOO1bKKw"); analytics.page(); } }(); $(document).ready(function () { $('[data-analytics]').on('click', function (e) { var properties var event = $(this).attr('data-analytics') $.each(this.attributes, function (_, attribute) { if (attribute.name.startsWith('data-property-')) { if (!properties) properties = {} var property = attribute.name.split('data-property-')[1] properties[property] = attribute.value } }) analytics.track(event, properties) }) }); var isMobile = /iPhone|iPad|iPod|Android/i.test(navigator.userAgent); if (isMobile) { var dropdown = document.querySelectorAll('.navbar__dropdown'); for (var i = 0; i < dropdown.length; i++) { dropdown[i].addEventListener('click', function(e) { e.stopPropagation(); this.classList.toggle('w--open'); }); } }