My answer is this: it depends.
It’s not the cop-out you think. The organization and history of the enterprise impacts the decision.
My preference, in order:
- Member of the Board of Directors
- Reports to the CEO
- Reports to the CFO
- Reports to the CSO
- Reports to the CIO
Fundamentally, InfoSec should not report to an operational entity. The CIO is operational.
Ed and & talked about this on the PVC Security Podcast. What are your thoughts?