Chief Information Security Officers on Top Management Teams: Impact on Firms’ Innovation

The rapid rise in information security incidents and the growing significance of cybersecurity have prompted many firms to elevate chief information security officers (CISOs) to top management teams (TMTs). Although prior work has examined the security-related impact of the CISO on firms, the implications of elevating the CISO to the TMT regarding the value of businesses have not been explored. Understanding how to integrate CISOs into TMTs is critical, as they bring a unique perspective on security risk management to executive decision making. To understand the implications of this change in TMTs’ composition, we conducted a longitudinal analysis of S&P 1,500 firms. Our results show that the presence of the CISO on the TMT positively impacts firms’ innovation. We identify three mechanisms that explain the impact of CISO presence on the TMT on innovation: reduced security risk, enhanced security controls, and the facilitated adoption of innovation enablers with a strategic security risk, thereby increasing firms’ innovation. Additionally, we find that the work experience of the CISO mattered because CISOs on TMTs with specialized experience increase firms’ innovation. This research illuminates how CISOs’ presence on TMTs affects firms’ value creation from a security risk management perspective. We also provide nuanced insights into how the professional experience of the CISO on the TMT impacts firms’ innovation. Our findings provide guidance for firms seeking to hire CISOs for TMTs who can effectively manage firms’ information security and contribute to value creation by supporting innovation.

History: Indranil Bardhan, Senior Editor; Pallab Sanyal, Associate Editor.

Supplemental Material: The online appendix is available at https://doi.org/10.1287/isre.2023.0197.