"Who should a CISO report to?" is a perennial favorite topic of conversation for security folks—CEO? CIO? CTO? General Counsel? CRO? Someone else?
Every vertical has different needs, so let's drill down into a specific vertical: cryptocurrency / web3.
Security risks across verticals in, say, the Fortune 1000 companies, vary enormously. At one extreme you have companies with very low security risk who are primarily concerned with the financial impact of regulatory fines resulting from a data breach.
If regulatory compliance is the primary driver of your company cybersecurity strategy, then there is a strong argument that the CISO should report to the General Counsel. This seems self-explanatory, no?
Across the middle bulge in the normative distribution you see CISOs reporting to technical leadership, like CIOs or CTOs or VPs / Engineering. If you collect, store, process, and secure large amounts of business-critical data (information), then there's a reasonable argument to be made that the Chief Information Security Officer should report to the Chief Information Officer.
In this common use case there is a much weaker argument for the CISO to report to a CTO or VP / Engineering—this is usually a result of execs saying "we don't understand security, it’s too technical, let's give it to our company tech lead". But building technology and company-wide security risk management are two entirely different skill sets that only by coincidence happen to be technical in nature.
Now we come to the opposite extreme end of the spectrum, where security risk poses company-ending catastrophic or even existential business risk.
What happens when the mission-critical information in question is fungible, non-reversible cryptocurrency?
In such a scenario, does it make sense for the CISO to report to the General Counsel? Clearly not. If cybersecurity risk ("if we get hacked") could result in bankruptcy, then that's not legal or regulatory risk, that's pure cybersecurity risk.
In such a rare and extreme scenario, I think you have two reasonable options: the CISO should report to either a Chief Risk Officer (CRO) or to the CEO directly.
CROs are a bit of a unicorn role, both rare and hard to hire for—how do you find someone equally fluent in legal risk, financial risk, and cybersecurity risk, all in the same human being? But great if you can find such a person.
So when security risk poses company-ending bankruptcy risk, I tend to think the CISO should report directly to the CEO. The chief executive must constantly balance risk and reward in driving their business forward, and that means having detailed information from a direct report (the CISO) about the risk on their flanks.
There's ultimately no right answer to the question "Who should the CISO report to?" That's because the correct answer is "It depends." It depends on your threat model. It depends on the nature of the security risk that a business carries.
Just as foreign policy writes domestic policy, so too external risks to a company drive internal org chart design.