Quiz Entry - updated: 2026.07.05
What does the Kantonsspital Aarau example show about placing information security in an organization?
Information security positioned as a staff function at the CTO level — alongside Legal & Compliance and IT architecture, above IT operations.
In the hospital's IT organization chart:
- The CTO sits on top
- Attached at staff level: IT Architektur, Info-Sicherheit, Legal & Compliance, and a Digital Office (coordinating digitalization PPM and IT innovation management)
- Below: Leiter Informatik (IT operations: service management, application management, project management, projects & investments) and Leiter Medizintechnik (medical technology)
What to notice:
- Security sits above operational IT, not inside it — it can set requirements for both IT and medical technology without being subordinate to the units it oversees
- Placement next to Legal & Compliance reflects how intertwined security is with regulatory duties (patient data!)
- This is the Stab-Linien pattern in practice: advisory + directive competence near the top, execution in the line
Tip: "Who does the CISO report to?" is a standard audit question — reporting into IT operations is a red flag (conflict of interest: the controller reports to the controlled).
Go deeper:
Chief information security officer (Wikipedia) — the CISO role and the debate over where it should report in the hierarchy.