https://community.isc2.org/t5/Tech-Talk/General-Counsel-Should-Lead-Security-Management-and-Risk/m-p/35031#M2605 <P>Definitely not under the CIO. Under legal? Hmmmmm... Maybe you would have some more pull with the threat of legal action. I could see it being OK being under legal, unless you got stuck in legal purgatory every time you proposed a change or it took 6 weeks to ratify a Rules of Engagement (ROE) (yes that happened to me) so maybe it isn't the best. I have seen Risk Manager being placed under legal so they could help quantify risks and legal exposure of risks, but not for the CISO or ISSO roles.</P><P>&nbsp;</P><P>I like the CISO being their own C level position.</P> Wed, 22 Apr 2020 19:40:29 GMT CISOScott 2020-04-22T19:40:29Z https://community.isc2.org/t5/Tech-Talk/General-Counsel-Should-Lead-Security-Management-and-Risk/m-p/35023#M2604 <P>I have read many articles on the appropriate placement off Information Security over the years.&nbsp; There are many thoughts on it, some saying the CFO, some saying the CIO, others stating the Board, this is a new approach and wonder what others think on this one.</P><P>&nbsp;</P><P>This is a synopsis:</P><P>&nbsp;</P><P><A href="https://www.todaysgeneralcounsel.com/gc-should-lead-security-management-and-risk/" target="_blank">https://www.todaysgeneralcounsel.com/gc-should-lead-security-management-and-risk/</A></P><P>&nbsp;</P><P>You can link to the full article but a little difficult to read:</P><P>&nbsp;</P><P><A href="https://issuu.com/todaysgc/docs/todaysgeneralcounsel_spring2020/24" target="_blank">https://issuu.com/todaysgc/docs/todaysgeneralcounsel_spring2020/24</A></P><P>&nbsp;</P><P>I agree with an alignment but am not convinced Legal should lead...........</P><P>&nbsp;</P><P>Thoughts?</P><P>&nbsp;</P><P>d</P><P>&nbsp;</P> Wed, 22 Apr 2020 15:01:16 GMT https://community.isc2.org/t5/Tech-Talk/General-Counsel-Should-Lead-Security-Management-and-Risk/m-p/35023#M2604 dcontesti 2020-04-22T15:01:16Z https://community.isc2.org/t5/Tech-Talk/General-Counsel-Should-Lead-Security-Management-and-Risk/m-p/35031#M2605 <P>Definitely not under the CIO. Under legal? Hmmmmm... Maybe you would have some more pull with the threat of legal action. I could see it being OK being under legal, unless you got stuck in legal purgatory every time you proposed a change or it took 6 weeks to ratify a Rules of Engagement (ROE) (yes that happened to me) so maybe it isn't the best. I have seen Risk Manager being placed under legal so they could help quantify risks and legal exposure of risks, but not for the CISO or ISSO roles.</P><P>&nbsp;</P><P>I like the CISO being their own C level position.</P> Wed, 22 Apr 2020 19:40:29 GMT https://community.isc2.org/t5/Tech-Talk/General-Counsel-Should-Lead-Security-Management-and-Risk/m-p/35031#M2605 CISOScott 2020-04-22T19:40:29Z https://community.isc2.org/t5/Tech-Talk/General-Counsel-Should-Lead-Security-Management-and-Risk/m-p/35039#M2608 <P>The CISO should be their own C level, they take risks, they understand them, and they are expected to be an excellent communicator, and capable of deciphering technical jargon to business speak, along with a calm mind, whilst everyone else pulls there own out.</P><P>&nbsp;</P><P>Regards</P><P>&nbsp;</P><P>Caute_cautim</P><P>&nbsp;</P><P>&nbsp;</P> Thu, 23 Apr 2020 03:56:23 GMT https://community.isc2.org/t5/Tech-Talk/General-Counsel-Should-Lead-Security-Management-and-Risk/m-p/35039#M2608 Caute_cautim 2020-04-23T03:56:23Z