Now that organisations should have a DPO in place as part of GDPR requirements, it’s time to reassess governance of information security…:
[…] Fourthly, and perhaps the most significant, having the CISO report into the CIO undermines their impartiality. The CIO can routinely redirect security budget towards frivolous and non-discretionary IT initiatives. As a result, rises in cyber security budgets do not translate to more resilience. Furthermore, when IT and security are bundled together, stability and speed will always take precedence over security, leading to delayed or terminated projects, unpatched critical systems and several other issues. This also raises the possibility that material risks may be filtered out of governance reports, as the CISO may be concerned about undermining their boss, which invariably threatens their own career progression, salary raise or bonus. This often leaves the board with an inflated sense of resilience, until the enterprise runs into trouble.