Organisational structures of modern businesses

Organisational structures of modern businesses

Do you know the organisational structure of your company or of a company you previously worked for?

What sort of hierarchy is there at your company? How well do departments communicate and interact to support cyber security measures? 

You're going to take a look at the most typical organisational structures and see how the Chief Information Security Officer (CISO) must understand and interact with the leading managers in order to maximise security. 

Organisational structures

The Chief Executive Officer (CEO), or Managing Director, is generally the head of the organisation and most businesses of significant size also have a Board of Directors who reports to the shareholders. The Board monitors what the CEO does. 

The executive leadership group – often known as the C-suite (C level)– report to the CEO, although some may also be members of the Board. They perform a variety of functions aligned to business areas such as Finance, IT, HR, Operations, Marketing and Sales. Each business area is managed by an executive and these roles typically include the Chief Financial Officer (CFO), Chief Information Officer (CIO), and Chief Operating Officer (COO). Each senior manager has a subset of responsibilities allocated to them by the CEO. For example, the CIO looks after the organisation’s information strategy and the COO is responsible for the day-to-day running of the business. 

Before you move on to taking a closer look at structure and how it affects the Chief Information Security Officer (CISO), it's important to consider financial conduct as this (like cyber security) informs all parts of the business and so needs special respect. 

Diagram showing Chief Executive officer, the board of directors and the executive C-suite inc. Sales, Marketing and IT.

Figure 1: An organisational structure 

Financial conduct

Regulatory requirements are often imposed by trade bodies and specify how an enterprise should operate to conform to certain standards. Although they are not legal obligations, regulatory bodies have extensive powers. Failure to comply with these bodies could lead to possible fines or, in extreme cases, exclusion from trading in a particular environment. The finance sector is a good example, it maintains strict controls to prevent financial malpractices such as fraud or money laundering. Official bodies, such as the Financial Conduct Authority (FCA) within the UK, have far-reaching powers.

The CISO position and influence

Now, you can look at where the ownership of information sits within the organisation structure to see which stakeholders are concerned with information risk.

Generally, the Chief Information Security Officer (CISO) reports either to the senior management team or directly to the CEO. However, as you can see, there are different structural variations. It's vital to establish a clear organisational structure. When this is in place, the business can better manage information security, so risks can be more successfully mitigated. The CISO must be a nominated individual with the responsibility for day-to-day management of all information security areas and authority. Information security must be present at the right level of the organisation – a level that can influence other areas. There’s no point having a security manager that nobody listens to or policies that aren’t taken seriously - the CISO must have enough power and position to implement the security system. The information assurance function and senior management also need to use positive reinforcement of good assurance behaviour. This helps to cement best practice throughout the company; some organisations even include feedback on assurance behaviour in their performance reviews. This is of huge benefit when trying to create a strong security culture throughout the company. Consider the increased use of outsourcing and offshoring over recent years and the continual adoption of cloud services. Organisation mergers and acquisitions also contribute to the changing landscape. Potentially security threats and risks.


Diagram showing Four integrated flow charts showing different organisational structures: 1. ISO reports to the CIO. The role might focus primarily on information assurance rather than operational security  2. Often in financial services, the CISO reports to the CFO to enable the role to focus on compliance  3. CISO reports to the COO, Role may focus on systems assurance, availability and network security  4. CISO reports directly to the CEO. Most useful Position for the CISO - they can operate across the business with the remit of the CEO

Figure 2: Comparison of organisational structures


Given what you’ve seen while exploring organisational structures, what are your thoughts on the organisational structure of your current company? What could improve the quality of connections between CISO and senior management?

What's next?

You have now looked at where the CISO fits and interacts within the corporate structure, next you shall be taking a much closer look at the CISO's roles and responsibilities.


In this course, you will discover the structures policies and practices which provide a basis for developing the organisation’s information security.

About the Author
Learning Paths

A world-leading tech and digital skills organization, we help many of the world’s leading companies to build their tech and digital capabilities via our range of world-class training courses, reskilling bootcamps, work-based learning programs, and apprenticeships. We also create bespoke solutions, blending elements to meet specific client needs.