No, my boss doesn't (normally) read this magazine, nor am I fishing for a raise. Yes, I've read the latest think-tank projections and understand what convergence is. No doubt, a close working relationship between the physical and cyber sides is always vital, and 10 years from now, we may not even have CIOs.
Still, based on several survey results I've seen, most information security execs: currently report to the CIO; would rather report somewhere else, such as the CFO; expect to merge with the physical side; and think some day they'll report to the CEO (perhaps as chief risk officer).
The big (and I mean huge) problem with not being in the IT department is simply that you cannot have a true seat at the IT table. Security already struggles with the Us-Them syndrome. We're often viewed as party crashers when trying to become integrated into the lifecycle of projects. We fight the inhibitor label, and staying in sync with the IT team is hard — but worth the battle.
Everyone works on vital relationships, but no matter how hard you try, there is a cultural wall when security comes in under another chief. Simply stated, we become more like auditors — not true partners. I've never known anyone who was happy to undergo another security audit.
Of course, I'm making assumptions around what your CIO does, their effectiveness, and your inclusion within the IT team. All of it comes back to individuals — how we're perceived, the skills we possess, and the overall corporate culture. Everyone ultimately works for the same top boss, but for the foreseeable future, I'd rather leave information security under the CIO.
