I am compelled to write this after the Sony CEO mischaracterized the Guardian of Peace hack as an "IT Matter.Ôö£├ÂÔö£├éÔö¼├║├ö├Â┬úÔö£├®Ôö£├ÂÔö£├éÔö¼├║├ö├Â┬úÔö¼ÔòæÔö£├ÂÔö£├éÔö¼├║├ö├Â┬ú├ö├Â├ë With the business impact and implications of the hack coming out subsequent to the event, I expect the CEO is changing his mind. As I visit client after client, the CISO (or, really, the IT Security Officer), typically reports to the CIO. From many of those same organizations, I hear them say that they cannot get the business folks to tell them what is sensitive, or to communicate their security requirements. My response usually is: How would they know? This is evidence of the failure that occurs when there is no Corporate-side CISO who has the responsibility to drive awareness in the business of their responsibility for security, get the business involved, and define business security requirements. Positioning security solely in I.T. tells your organization that security is an I.T. problem, and guess what? The business adopts the convenient idea that I.T. alone is taking care of security, and pays for security. After all, it is I.T.'s responsibility. More problematic, effective security is impaired in many cases by the I.T. motivation to reduce costs because, guess what, the CIO often reports to the CBO (Chief Bean Counter). In reality, both positions are necessary and must collaborate closely...the business-oriented CISO and the tech-savvy I.T. Security Officer. Check your best practices on this: CISSP, ISMS, etc. call for the business-side CISO.