This is my slide for evaluating Chief Information Security Officer (CISO) opportunities.
It can help frame a conversation with Human Resources.
When the CISO reports to a technology executive such as the CTO or CIO, that reporting structure is viewed by many as a conflict of interest. The role of a Tech Exec is to provide features and functionality, while a CISO influences risk mitigation. When those roles exist independently there is a healthy risk debate that occurs between the CISO and the Tech Exec that helps maintain a balance of productivity and risk mitigation. When the CISO reports to the Tech Exec, that can impact the effectiveness of the information security program such as minimizing risk transparency to the CEO and the board of directors.