Management: CISO: Is there an enterprise information protection (IP) Lead, and where are they placed?
Option 1: Don't have an Information Proteciton Lead (IP Lead) (a.k.a., CISO) or equivalent function.
Decision:IF the enterprise is small (only a few hundred workers), THEN no IP Lead is typically desired or required,
OTHERWISE IF the enterprise is privately owned and less than $1B/y in revenues OR has little information technology, THEN Use a director level position within information technology for the IP Lead function.
OTHERWISE IF there is a top executive CSO or supportive chief counsel, THEN Place the IP Lead within the office of the CSO or chief counsel.
OTHERWISE Place the IP Lead as a side box under the CEO, CFO, or COO.
Basis:Don't have an Information Proteciton Lead (IP Lead).
For enterprises with few workers, the IP Lead functions will likely be carried out by many individuals in different roles and the internal communication and cooperation is very tight, so there is usually no IP Lead at all.
Use a director level position within information technology for the IP Lead function.
As enterprises grow, a need for someone to centralize and have specialized expertise in information protection also grows. This leads to the need for at least a director level position associated with the functions of a IP Lead. In rare cases where little information technology is used and when the enterprise is privately held, this can be delayed.
Place the IP Lead within the office of the CSO or chief counsel.
It is often feasible to have the IP Lead within another department, such as the legal department or working from within HR for a mid-sized enterprise. In some sense this is better than working within the CIO's arena or for the CFO because the IP Lead is one of the enterprises checks and balances to assure that the shareholder value is protected regardless of the position and decisions of the CIO or CFO. After some size is reached, this function can no longer operate effectively within such an arena unless the top management team gets along very well because power struggles will create problems in getting the IP Lead's function done.
Place the IP Lead as a side box under the CEO or COO.
The placement of the IP Lead in a heavily information technology oriented company may be retainable within the information technology arena and working for the CIO because the CIO is likely to be the equivalent to a chief operating officer in a company that is not focused on information technology as its primary function. But this is problematic in most cases because the IP Lead has responsibilities that extend to the legal department, human resources, internal audit, and other areas which the CIO rarely operates. Retaining the IP Lead under the CIO reduces their utility in getting the whole enterprise information protection program working properly and excessively focuses the IP Lead on information technology issues at the expense of process.
The fundamental mandate for a IP Lead is that they not work for or within the CIO's organization or anyone else that they must affect control of.