What do you think? Will the CISO evolve into CIRO? Does the CISO belong under the CIO, or maybe just operational security?
I personally think 2018 is an aggressive timeframe since many organizations still don't have a formal CISO defined and 20% of CIOs claim they don't think they need a CISO. It seems to me we need to inform the board (externally) with what a forward leaning organization should expect in a CISO and drive change from the top down, rather than bottom up.