Information Security reporting lines

The question of where Information Security should report into within the organisation has come up in discussion. There is little consistency within my industry contacts. One reports to the CIO, another to a CFO. In my own case I report to a Director of Corporate Governance. Who is the more right? Frankly, I’m not sure that it really matters so long as there is support at the right level for the organisation. There are lots of conflicting views online. Here are some of them:

The right place for information security management is where it belongs; enterprise risk management

If there is an internal audit group, I would say that this function should report wherever this group reports

If you define Information security that it should include data governance and compliance, the methodology I follow make it part of the Business Intelligence organization

Often the most sensible solid line report is to the CIO

I do believe that in many organisations, the infosec function is best positioned reporting directly to the CIO

I think that if Information Security reports into the CIO, Information Security be autonomous from IT Operations

What do you think?