Are companies getting tighter with their merit cycle spending?
Download ‘The Merit Cycle State of the Union’ to see salary, equity, and performance rating trends from comp cycles in 2024 ->

Who Should the CISO Report To?

Pave Data Lab
October 2, 2024
2
min read
by
Matthew Schulman

Is It a red flag if your Chief Information Security Officer (CISO) doesn’t report to the CEO? If you are a CISO or Head of Security, should you have a preference for reporting to the CEO or to the CTO/main R&D leader?

Let's explore Pave's dataset to see how companies approach this by stage.

CISO Benchmarks from Pave

𝗘𝗮𝗿𝗹𝘆 𝘀𝘁𝗮𝗴𝗲: 𝗖𝗘𝗢. At early stage tech companies, the CISO/Head of Security reports to the CEO ~70% of the time.

𝗟𝗮𝘁𝗲𝗿 𝘀𝘁𝗮𝗴𝗲: “𝗶𝘁 𝗱𝗲𝗽𝗲𝗻𝗱𝘀”. At later stage tech companies, the CISO/Head of Security reports to the CEO about a third of the time, to the CTO/equivalent about a third of the time, and to “Other Execs” about a third of the time.

Regardless of reporting structure, I agree that "it’s really about being in the room where it happens," a quote from Andy Ellis, operating partner at YL Ventures, a venture capital firm that specializes in cybersecurity investments.

What are your thoughts or suggestions to set up your CISO/Head of Security up for success? Let me know on LinkedIn.

Want to hear more from Pave? Subscribe to Pave's newsletter for the latest expert resources and insights directly to your inbox.

Learn more about Pave’s end-to-end compensation platform
Sign up for freeRequest demo
Matthew Schulman
CEO & Founder
Matt Schulman is CEO and founder of Pave, the complete platform for Total Rewards professionals. Prior to Pave, he was a software engineer at Facebook focusing on user-centric mobile experiences. A self-proclaimed "comp nerd," Matt is known for sharing data-driven thought leadership around all things compensation and personal finance.

Become a compensation expert with the latest insights powered by Pave.

Related articles

Pave Data Lab

What the Heck is a “Head of”?

November 12, 2024
3
min read

What the heck does the “Head of” job title mean? And when it comes to level and compensation, what is “Head of” vs Director? Digging into the data helps to demystify this topic.

Pave Data Lab

What is the Optimal Age to Found a Tech Company?

October 21, 2024
2
min read

What’s the best age to found a tech company? We analyzed 2,602 tech sector customers using Pave’s compensation tools to find out.

Pave Data Lab

Annual Promotion Rates by Level: What is The Optimal Target Promotion Rate?

October 17, 2024
3
min read

The average promotion rate for employees across USA-based tech companies in Pave’s dataset is 14% over the past 12 months. Dive in to learn more.

Solutions
Market DataCompensation WorkflowsCommunication
Product
BenchmarkingMarket PricingCompensation PlanningTotal RewardsVisual Offer Letter
Resources
BlogPave Data LabWebinarsCase StudiesGuidesHelp CenterIntegrations
Company
PricingCustomersAboutCareersSecurity & PrivacyPress RoomContact Support
Legal
Privacy PolicyTerms of UseService Terms
Fulfillment PolicyMaster Subscription Agreement
Built in San Francisco, CA
© Copyright 2023

Pave's successful SOC 2 Type 2 report was issued by the Johanson Group and is actively monitored by Drata.

(function (h, o, t, j, a, r) { h.hj = h.hj || function () { (h.hj.q = h.hj.q || []).push(arguments) }; h._hjSettings = { hjid: 2412860, hjsv: 6 }; a = o.getElementsByTagName('head')[0]; r = o.createElement('script'); r.async = 1; r.src = t + h._hjSettings.hjid + j + h._hjSettings.hjsv; a.appendChild(r); })(window, document, 'https://static.hotjar.com/c/hotjar-', '.js?sv='); !function () { var analytics = window.analytics = window.analytics || []; if (!analytics.initialize) if (analytics.invoked) window.console && console.error && console.error("Segment snippet included twice."); else { analytics.invoked = !0; analytics.methods = ["trackSubmit", "trackClick", "trackLink", "trackForm", "pageview", "identify", "reset", "group", "track", "ready", "alias", "debug", "page", "once", "off", "on", "addSourceMiddleware", "addIntegrationMiddleware", "setAnonymousId", "addDestinationMiddleware"]; analytics.factory = function (e) { return function () { var t = Array.prototype.slice.call(arguments); t.unshift(e); analytics.push(t); return analytics } }; for (var e = 0; e < analytics.methods.length; e++) { var key = analytics.methods[e]; analytics[key] = analytics.factory(key) } analytics.load = function (key, e) { var t = document.createElement("script"); t.type = "text/javascript"; t.async = !0; t.src = "https://cdn.segment.com/analytics.js/v1/" + key + "/analytics.min.js"; var n = document.getElementsByTagName("script")[0]; n.parentNode.insertBefore(t, n); analytics._loadOptions = e }; analytics.SNIPPET_VERSION = "4.13.1"; analytics.load("0KGQyN5tZ344emH53H3kxq9XcOO1bKKw"); analytics.page(); } }(); $(document).ready(function () { $('[data-analytics]').on('click', function (e) { var properties var event = $(this).attr('data-analytics') $.each(this.attributes, function (_, attribute) { if (attribute.name.startsWith('data-property-')) { if (!properties) properties = {} var property = attribute.name.split('data-property-')[1] properties[property] = attribute.value } }) analytics.track(event, properties) }) }); var isMobile = /iPhone|iPad|iPod|Android/i.test(navigator.userAgent); if (isMobile) { var dropdown = document.querySelectorAll('.navbar__dropdown'); for (var i = 0; i < dropdown.length; i++) { dropdown[i].addEventListener('click', function(e) { e.stopPropagation(); this.classList.toggle('w--open'); }); } }