Where SHOULD the security function exist within the organization, in your opinion?

Security & GRCTeam & Organizational Design

Within the IT org (with security lead reporting to CIO)14%

As a separate function, with CISO reporting to CIO48%

As a separate function, with CISO reporting to CEO/board24%

It depends on the industry/company size/etc12%

Unsure/something else2%

94 PARTICIPANTS
715 viewscircle icon1 Comment
Sort by:
CISO/CPO & Adjunct Law Professor in Finance (non-banking)a year ago

The Information Security function is generally focused upon security risks as opposed to being driven by business operations like the IT function.  It is not a best practice for the CISO to report to the CIO since it can make security less important than simply completing the project. CIOs are usually compensated for "keeping the trains running" so that is their primary focus.
There are potential exceptions for small teams or very specific circumstances.   

Content you might like

Wondering if infosec folks consider the risk of burnout to be an unavoidable part of cybersecurity roles?

Yes, it’s unavoidable in cyber43%

No, it can be avoided48%

I don’t know…7%

View Results

How valuable is it if a sys admin is able to automate patching in order to move from a quarterly patch cadence to a monthly patch cadence?

Highly Valuable47%

Moderately Valuable52%

Not valuable at all

View Results

The use of Generative AI in the textile and industrial sectors — for instance in fashion companies or in the creation of marketing content — carries significant risks if not supported by adequate detection and risk management tools. Generative models may unintentionally incorporate elements protected by intellectual property rights, such as registered styles, patented designs, or content belonging to other fashion houses.

A notable example is the “Studio Ghibli” case, where AI-generated works reproduced distinctive, protected features.

In this context, how should Risk Managers equip themselves to prevent and mitigate such risks, ensuring innovation while avoiding legal violations and reputational damage?

Which tech conference do you intend to attend in person next year or have already participated in this year, and what motivated your choice?

Read More Comments

What’s the best way to create or foster a collaborative dynamic between the D&A function and risk management teams?