A few months ago, Sony announced that it was created a new CISO position, reporting directly to the CIO, in response to the attacks against PlayStation. I’m encouraged by the fact that Sony realizes they need someone focused on data security – but discouraged that they’ll be reporting to the CIO, who almost always has a fundamental conflict of interest and often reduces this role to a figurehead. CIO’s are typically responsible for the information technology and systems that support enterprise operations, and they need them to be high-performing and feature rich (and security often crimps that style).
If I were CEO of a multinational enterprise like Sony, MassMutual, SAP, and others, I would place my CISO reporting to the most senior risk executive in the company and have that person report to me. I would create a nested risk-based approach to data/information protection. For example, Application Security would be part of a larger Information Security group, which would be part of a larger risk group, which is responsible for assessing risk in the context of business continuity and operations.
Security and risk are elements of _every_ person’s job, and the group who’s “responsible” for security has the charter of assuring the dissemination and absorption of those security/risk elements (making it part of the culture vs. doing all the security work themselves in the security group.) This would be my yin to the CIO and IT yang of faster, cheaper, more efficient automation of data management.
Companies like Thomson Financial, Liberty Mutual, and SAP had it right, imo, and changed things – which sent their CSO’s running away and significantly weakened their security posture overall.