The role of Chief Information Security Officer was invented by Citibank in 1995. The role has been debated since then but should the CIO report to the CISO or the CEO? The most enlightened CISOs have managed to inculcate a consultative approach to security, writes Andrew Hammond. Hammond: Most organizations treat IT security as a necessary evil, an add-on, an after-thought. He says CISOs are experts in regulatory compliance and comfortable putting out fires instead of building things that are secure.”]
Source: https://www.csoonline.com/article/3237675/the-cio-should-report-to-the-ciso.html