ABSTRACT
The Chief Information Security Officer (CISO) reports directly to the Chief Information Officer (CIO), Director of Information technology (IT), the Vice President of systems, or whatever the title of the head of the IT department is. The advantage of the model is that the individual to which the security officer is reporting understands the technical issues and typically has the clout with senior management to make the desired changes. CISOs are typically hired for their ability to understand the adversary and lead threat modeling efforts to map out the actions a threat adversary may take. Effective CISOs also understand compliance and privacy constructs a discipline not typically the focus of IT departments. The history of reporting to the CIO is due to security being viewed as only an IT problem, which it is not. The breaches starting with the 2013 Target Breach have helped to change the placement of the CISO.
