Where Should the CISO Report?

This is the number one question I’m asked, far & away.

My answer is this: it depends.

It’s not the cop-out you think. The organization and history of the enterprise impacts the decision.

My preference, in order:

  1. Member of the Board of Directors
  2. Reports to the CEO
  3. Reports to the CFO
  4. Reports to the CSO
  5. Reports to the CIO

Fundamentally, InfoSec should not report to an operational entity. The CIO is operational.

Ed and & talked about this on the PVC Security Podcast. What are your thoughts?