You are newly hired as a CISO reporting to the CIO. After three months, you find security initiatives are deprioritized in favor of infrastructure projects. What is the most strategic step?
A. Accept the structure and focus on compliance
B. Raise the issue with internal audit to escalate governance concerns
C. Propose elevating the CISO role to report to the CEO or Board
D. Initiate a campaign to increase awareness on secure IT practices
Answer: C. Propose elevating the CISO role to report to the CEO or Board
To prevent conflicts of interest and increase influence, the CISO should ideally report outside of IT to a business executive or board-level function.