I just re-read that post and realized that I left out the rationale of why they are moving the CISO role. If you think about it, the CISO and the CIO/CTO (chief information/technology officer) roles are direct contradictions of each other. The CIO/CTO is under a lot of pressure to make as much data as possible to as many people as possible. The is for ease of use from within the organization and for customers and business partners. The CISO is on the other end of the spectrum as they are usually trying to limit as much information as possible and put up barriers to many of those same users/customers/partners. As an extreme example (and not realistic but I'm just trying to make a point), if they could get away with it many CIO/CTOs would make everyone administrators and have every firewall rule any-any. If they could get away with it, many CISOs would take scissors to every Cat-5 cable they could reach and pour cement over the firewalls. With this in mind, when the CISO reports to the CIO/CTO, they are often trumped and their suggestions shot down. Nobody thought this was a big deal until companies started losing millions of dollars in data and getting fined for not being in compliance with regulations. To break this conflict of interest the CISO spot is being moved under the finance and risk management area of the organization structure.
CISSP, CISM, CISA, GCIH, GREM, CEH, HMFIC, KTHXBIROFLCOPTER