For enterprises with few workers, the CISO functions will likely be carried out by many individuals in different roles and the internal communication and cooperation is very tight, so there is usually no CISO at all.
Use a director level position within information technology for the CISO function.
As enterprises grow, a need for someone to centralize and have specialized expertise in information protection also grows. This leads to the need for at least a director level position associated with the functions of a CISO. In rare cases where little information technology is used and when the enterprise is privately held, this can be delayed.
Place the CISO within the office of the CSO or chief counsel.
It is often feasible to have the CISO within another department, such as the legal department or working from within HR for a mid-sized enterprise. In some sense this is better than working within the CIO's arena or for the CFO because the CISO is one of the enterprises checks and balances to assure that the shareholder value is protected regardless of the position and decisions of the CIO or CFO. After some size is reached, this function can no longer operate effectively within such an arena unless the top management team gets along very well because power struggles will create problems in getting the CISO's function done.
Place the CISO as a side box under the CEO or COO.
The placement of the CISO in a heavily information technology oriented company may be retainable within the information technology arena and working for the CIO because the CIO is likely to be the equivalent to a chief operating officer in a company that is not focused on information technology as its primary function. But this is problematic in most cases because the CISO has responsibilities that extend to the legal department, human resources, internal audit, and other areas which the CIO rarely operates. Retaining the CISO under the CIO reduces their utility in getting the whole enterprise information protection program working properly and excessively focuses the CISO on information technology issues at the expense of process.
The fundamental mandate for a CISO is that they not work for or within the CIO's organization or anyone else that they must affect control of.