Where I sit organizationally, I report to the head of enterprise operational excellence, who reports to our group head, who reports directly to our CEO. My group has a head of innovation technology and shared services at TD Bank.
We felt that for strong governance, it was important to separate the CISO role from the technology organization, both for objectivity and as a reflection that cyber is really a business risk, not a technology risk.
We find that business engagement, in terms of process and products and how we engage our customers, is paramount to the success of our cybersecurity program.
As far as your other question is concerned, I had a bit of difficulty understanding whether you were talking about a percentage of spending or caps on spending.