This is the number one question I'm asked, far & away.

My answer is this: it depends.

It's not the cop-out you think. The organization and history of the enterprise impacts the decision.

My preference, in order:

1. Member of the Board of Directors
2. Reports to the CEO
3. Reports to the CFO
4. Reports to the CSO
5. Reports to the CIO

Fundamentally, InfoSec should not report to an operational entity. The CIO is operational.

Ed and & talked about this on the PVC Security Podcast. What are your thoughts?

---

My original entry is here: Where Should the CISO Report?. It posted Wed, 04 Nov 2015 22:00:31 +0000.

Filed under: professional, CEO, CFO, CIO, CISO, CSO, InfoSec, infosec,