This is the number one question I’m asked, far & away.

My answer is this: it depends.

It’s not the cop-out you think. The organization and history of the enterprise impacts the decision.

My preference, in order:

  1. Member of the Board of Directors
  2. Reports to the CEO
  3. Reports to the CFO
  4. Reports to the CSO
  5. Reports to the CIO

Fundamentally, InfoSec should not report to an operational entity. The CIO is operational.

Ed and & talked about this on the PVC Security Podcast. What are your thoughts?


Also on:

This site uses Akismet to reduce spam. Learn how your comment data is processed.

To respond on your own website, enter the URL of your response which should contain a link to this post's permalink URL. Your response will then appear (possibly after moderation) on this page. Want to update or remove your response? Update or delete your post and re-enter your post's URL again. (Learn More)