Because Target is aware of the potential cost of a major breach, Jacob Olcott, principal consultant on cybersecurity at Good Harbor Security Risk Management, was surprised that Maiorino did not have a higher place in the executive suite.
Nevertheless, having the CIO above the CISO could work.
"It is reasonable for organizations that have security- and risk-conscious CIOs to have the CISOs report through them," Olcott said.
However, that structure will fail, if the CISO is "buried in the organization," Olcott said.
"If senior executives do not have visibility into the company's security posture, then that's a bad thing," he said.
Ultimately senior execs, including the CEO, CFO and general counsel, depend on the CISO in deciding the level of risk the company will accept in setting security spending.
Sign up for CIO Asia eNewsletters.