The question of where Information Security should report into within the organisation has come up in discussion. There is little consistency within my industry contacts. One reports to the CIO, another to a CFO. In my own case I report to a Director of Corporate Governance. Who is the more right? Frankly, I’m not sure that it really matters so long as there is support at the right level for the organisation. There are lots of conflicting views online. Here are some of them:
The right place for information security management is where it belongs; enterprise risk management
If there is an internal audit group, I would say that this function should report wherever this group reports
If you define Information security that it should include data governance and compliance, the methodology I follow make it part of the Business Intelligence organization
Often the most sensible solid line report is to the CIO
I do believe that in many organisations, the infosec function is best positioned reporting directly to the CIO
I think that if Information Security reports into the CIO, Information Security be autonomous from IT Operations
What do you think?