Taking a Seat at the Table: The Quest for CISO Legitimacy

Abstract

The role of the chief information security officer (CISO) has emerged as critically important to organizations in managing cybersecurity risks. Unfortunately, many CISOs are limited by perceptions of boards and executive teams that the CISO is not a strategic partner. This study investigates CISOs’ struggles for legitimacy in their ascendancy into the executive suite and in directly reporting to the board of directors. In a grounded theory interview study, we use legitimacy theory as a lens to develop a model of a virtuous cycle of legitimacy, wherein a CISO’s legitimacy gains at the board level feed into successful bids for legitimacy within the executive suite, extending legitimacy theory to include legitimacy assessments within related hierarchal groups (i.e., the board and executive team). Given the growing importance of CISOs, we inform research and practice on how they can become full-fledged members of the executive team and legitimate partners of the board

    Similar works