Where should Information Security report in a modern organization and why?

“Hi ..., This is one of the hot topics we come across at enterprise level customers. I think IT departments will soon become Business Technology Support departments (after all those aligning IT with the business discussions)... Information Security has multiple branches. It makes sense to segregate operations and the management branches for information security. Information Security Operations definitely belong to Information Technology (Business Technology Support) Groups. In terms of reporting, that goes to CIO. Corporate information security goals must be carried out (executed) via information security operations groups. I work with several Fortune 100 companies and this “InfoSec Operations” organization type looks like the trend. On the other side, I do think that the information security policy/assurance should not be an independent discipline nor it must be related to information technology: The right place for information security management is where it belongs; enterprise risk management- GRC. So that all security risks including information security can be analyzed and managed in a holistic way. Today's complex IT infrastructure makes it impossible to segregate information security from the rest of the operation risks. For me it makes sense to have an independent "Risk Management" disciple to oversee all threats. That being said, Information security based risks will form one of the core disciplines in risk management. And security must report to Chief Risk Officer Let me know if you need more cases for the options listed above regards, - yinal ozkan”