For my non-technical friends and people who are on the perimeter of tech (or even security for that matter), the question of who does the CISO report to is a not a question at all. They always espouse the standard assumption that, like the CFO, CIO, and other C-suite seats, the CISO should report to the CEO. Sometimes I will have a friend suggest the CFO, but they are just screwing with me to get a reaction....
What this tells me though, is that many people do not understand the fundamental duties most CISO's carry within an organization. Nor do they understand the dynamics that reporting to the CEO carries with it. To understand why the CISO reporting the CEO is sub-optimal, we need to first agree that we know what a CISO does.
The CISO is primarily responsible for the curation, development and execution of cyber security strategy and policy. Thats a very vague, broad term description but it must be because it encompasses a vast are of responsibility. Also, in some organizations the CISO is really the senior technologist, the person who knows how to select and configure security solutions. This persona confuses many people, making answering the question "who should the CISO report to" that much more difficult to answer.
The CEO on the other hand is focused on developing the strategy for business operations, resource allocation and the overall development of the business.
So now, with that defined let us ponder the question that we are here to answer. When the CISO, who is developing plans to secure an organizations data at all stages of its lifecycle, needs to receive authorization to implement global strategy changes should the CEO be the sole decision maker? The same individual who is trying to optimize and grow the business? This presents a conflict, and while the assumption is that the CEO would recognize the value in secure operations or that the CISO has prepared the CEO to make a good decision, this is not often the case.
This is a simple example, but a real scenario that plays itself out quite often. Quite simply, the CISO should report to a "body" that provides direction to the CEO. The board of directors is a common representation of this "body". In the financial world, the board is a powerful group of individuals that are appropriately abstracted from the operations of the business. This abstraction makes it easier for risks and value to be identified, this is exactly the type of clear thinking that is needed for a business to thrive with an empowered CISO.
I will get off my soap box now, I did not want this to sound like a rant and it is my hope that it doesn't. Most organizations are setup to have the CISO report to the CEO or CFO, very few are designed to have the CISO report to the board. I simply want to cast a vote (in the vastness of the internet) for the CISO -> Board model because sub-optimal processes drive me nuts.