Just an interesting snippet from The Register (emphasis mine):

RSA has appointed its first chief security officer, three months after a data theft on its network contributed to the hack of the world’s biggest defense contractor, and possibly other important customers.

http://www.theregister.co.uk/2011/06/10/rsa_chief_security_officer/

I’ve been telling people for ages that having a CISO is normal good practice these days.  Evidently nobody told the security industry.