A few months ago, Sony announced that it was created a new CISO position, reporting directly to the CIO, in response to the attacks against PlayStation. I\u2019m encouraged by the fact that Sony realizes they need someone focused on data security \u2013 but discouraged that they\u2019ll be reporting to the CIO, who almost always has a fundamental conflict of interest and often reduces this role to a figurehead. CIO\u2019s are typically responsible for the information technology and systems that support enterprise operations, and they need them to be high-performing and feature rich (and security often crimps that style).If I were CEO of a multinational enterprise like Sony, MassMutual, SAP, and others, I would place my CISO reporting to the most senior risk executive in the company and have that person report to me. I would create a nested risk-based approach to data\/information protection. For example, Application Security would be part of a larger Information Security group, which would be part of a larger risk group, which is responsible for assessing risk in the context of business continuity and operations.Security and risk are elements of _every_ person\u2019s job, and the group who\u2019s \u201cresponsible\u201d for security has the charter of assuring the dissemination and absorption of those security\/risk elements (making it part of the culture vs. doing all the security work themselves in the security group.) This would be my yin to the CIO and IT yang of faster, cheaper, more efficient automation of data management.Companies like Thomson Financial, Liberty Mutual, and SAP had it right, imo, and changed things \u2013 which sent their CSO\u2019s running away and significantly weakened their security posture overall.