Watch this video on YouTube
What is the MOST critical factor to consider when establishing a reporting structure for an information security program within a large, decentralized organization?