Who should Information Security office report to within an organization?I acknowledge that there is no one size fits all,however what is the best approach and recommendation?
In our organisation, the Information Security Office reports into the IT Director who in turn reports the CEO. Whether this is the best approach i'm not sure, but it works for us in SME of about 2000.
The Best practices recommends Information Security should report to Chief Risk Officer. If not it needs to report directly to CEO. Whatever the case may be he should not directly report to CIO or Head of IT and Head of Business verticals...
If the Information Security Officer (ISO) is the lead security person (i.e. no CISO, Risk Mgmt Ofcr,etc) then there should be a direct reporting ability to the person above the CIO to avoid filtering out bad stuff to protect the CIO.
I am a bit of an old-school curmudgeon and tend to roll my eyes at all the "chiefs" and "officers" we pack into org charts these days. My assessment is that if you have "officer" in your title, you should be an officer of the company (e.g. President (CEO), Treasurer (CFO), Secretary (COO)). Pretty much everyone else is a manager of some sort. Exception would be regulatory issues (e.g. A Compliance Officer or a DPO called for by European Union GDPR).
I have always considered security a function of quality. In that sense, under your typical Chief Operating Officer you should have some sort of quality-assurance function. Of course under the COO is where I would also place IT functions under an IT Manager (and get rid of the CIO title - again, too many chiefs). Whether under or alongside IT, you should have some sort of quality assurance/information-security function. Their role is to develop, integrate and test security/quality operations.
Officers, including compliance, should be an independent silo answerable to the board - if not also directly to some regulatory authority - along with the other named officers of an organization. Now, a board could always say that security it so critical that it wants a CISO, and it creates the position and has it report the board. The problem, however, is now you create conflict with your COO. You're going to hold him or her responsible for operations, but the security of those operations will the responsibility of someone else? That's like hiring a chef to cook you dinner but putting someone else in charge of the stove. If you also have a CIO, now you have chef, a chief stove officer, and chief food shopper. Good look producing a decent meal in that kitchen. OK, you say, just arrange it so that the CISO and CIO report to the COO, fine, but you really aren't a chief if you report to another chief, are you? That's why I would call such things an IT Manager and Director of Security and Assurance, or some such thing.