General Counsel Should Lead Security Management and Risk
I have read many articles on the appropriate placement off Information Security over the years. There are many thoughts on it, some saying the CFO, some saying the CIO, others stating the Board, this is a new approach and wonder what others think on this one.
Definitely not under the CIO. Under legal? Hmmmmm... Maybe you would have some more pull with the threat of legal action. I could see it being OK being under legal, unless you got stuck in legal purgatory every time you proposed a change or it took 6 weeks to ratify a Rules of Engagement (ROE) (yes that happened to me) so maybe it isn't the best. I have seen Risk Manager being placed under legal so they could help quantify risks and legal exposure of risks, but not for the CISO or ISSO roles.
The CISO should be their own C level, they take risks, they understand them, and they are expected to be an excellent communicator, and capable of deciphering technical jargon to business speak, along with a calm mind, whilst everyone else pulls there own out.