Not only are the roles of the CISO and CPO changing, but so are their relationships within the organization. Many CISOs who used to report to the CIO now report to other functions and, along with the CPO, have a direct or dotted line to the board. In this three-part series, we speak to current and former privacy and security leaders at Citi, AvePoint, Hunton and national retailers about these positions and their integral, and sometimes overlapping, roles in protecting an organization. This second installation discusses effective governance, including reporting structure and the relationship with the board. The final part will cover ideal policy ownership, and will include advice on effective collaboration when preparing for and responding to incidents and when assessing and contracting with third parties. Part one addressed how the skills necessary for each function have changed, how to combat ongoing challenges and whether companies should consider a convergence of the roles. See also “How to Effectively Find, Compensate and Structure Cybersecurity Leadership (Part One of Two)” (Dec. 14, 2016); Part Two (Jan. 11, 2017).