Despite inroads in the C-suite and rising prominence across the business at large, security leaders are still more likely to operate at a remove from the organization’s executive leadership when it comes to reporting structures.
According to IANS Research and Artico Search’s 2026 State of the CISO Benchmark Report, 64% of CISOs still report into IT, typically the CIO or CTO. Just 11% report to the CEO, while others fall under the CFO (5%), chief risk officer (5%), legal counsel (5%), or other business roles (5%).
Although the survey found that “reporting lines are slowly shifting, and dotted line responsibility is often just as or more important than direct line reporting,” traditional reporting lines still hold, begging the question: Does that reporting structure still make sense?
The age-old problem with CISOs reporting into CIOs is that it could present — or at least appear to present — a conflict of interest.
Cybersecurity consultant Brian Levine, a former federal prosecutor who serves as executive director of FormerGov, says that concern is even more warranted today.
“It’s the legacy model: Treat security as a technical function instead of an enterprise‑wide risk discipline,” he says. “The problem is that when the CISO sits under the CIO, cost containment may outrank risk reduction.”
Conflicts of interest
Levine agrees that reporting to the CIO creates “an inherent conflict of interest.”
“The CIO is rewarded for efficiency and savings and the CISO is responsible for identifying risks that often require new spending,” he explains. “It’s like asking the fire marshal to report to the person whose bonus depends on cutting the number of sprinklers.”
Enterprise CISOs should be reporting a notch higher, Levine argues.
“Ideally, the CISO would report to the CEO or the general counsel, high-level roles explicitly accountable for enterprise risk. Security is fundamentally a risk and governance function, not a cost‑center function,” Levine points out. “When the CISO has independence and a direct line to the top, organizations make clearer decisions about risk, not just cheaper ones.”
Zach Lewis, CISO at the University of Health Sciences and Pharmacy in St. Louis, agrees that a conflict of interest arises in reporting into IT.
“The CIO is all about [system] availability whereas the CISO needs to bring systems down so that things can be patched, fixed,” Lewis says, offering that a hypothetical CIO might tell a CISO, “I don’t want you to do [a patch or a security upgrade] because it would impact my bonus.”
Flavio Villanustre, CISO for the LexisNexis Risk Solutions Group, sees resources being another conflict of interest.
“In many organizations, IT [executives] are heavily incentivized to deliver new capabilities, which could strain the resources available to the CISO when trying to ensure that security and privacy are baked into these projects,” Villanustre says.
At the same time, having the CISO report into someone such as the general counsel or CFO “could negatively impact the alignment between CISO and IT, which is paramount to making the CISO job more effective,” Villanustre adds. ”Forcing these types of moves could backfire.”
With regulatory pressure mounting, especially in financial services, Villanustre believes CISO reporting structures will come under greater scrutiny. “It’s likely that there will be changes soon that can alter the current statistics [of reporting lines for CISOs] quite significantly,” he says.
What’s in a reporting line?
Aaron Painter, CEO of security vendor Nametag, contends that reporting structures often mean less than the respect the CISO is granted.
Painter is “less dogmatic about where the CISO reports and more focused on whether they actually have a seat at the table,” he says.
“Org charts matter far less than influence,” he adds. “Whether the CISO reports to the CIO, the CEO, or someone else, the real question is this: Are they brought in early, listened to, and empowered to shape how the business operates? When that’s true, the structure works. When it’s not, no reporting line will save it.”
Sanchit Vir Gogia, chief analyst at Greyhound Research, argues that the trend to have CISOs report to an IT executive “is one of the most structurally damaging legacy habits still entrenched in enterprise security governance.”
“On paper, it may seem like a clean alignment,” he says. “In practice, it’s a governance anti-pattern that quietly erodes the CISO’s ability to surface truth, escalate risk, and hold the organization accountable. Keeping security under IT may seem convenient, but in today’s threat landscape, it is a structural vulnerability disguised as tradition.”
Like others, Gogia’s argument falls back to the potential for conflicts of interest.
“The CIO’s job is to enable business through technology. Innovation, delivery, velocity. The CISO’s job is to identify and mitigate risk, even when that slows things down,” Gogia says. “When the CISO reports to the CIO, risk can be filtered, prioritized out of sight, or reshaped to fit a delivery narrative. It’s not about bad actors. It’s about role tension. And when that tension exists within the same reporting line, risk loses.”
Moreover, Gogia believes security reporting to IT “sends all the wrong cultural signals.”
“Employees know where power sits. If the CISO is three levels below the CFO, nobody takes their escalation seriously. If the CISO needs to ask their boss’s permission to flag a critical control gap, that’s not empowerment; it’s containment. Over time, the organization learns to route security around the CISO, not through them,” he says. “What matters most is unfiltered visibility and the freedom to present uncomfortable truths without career penalty.”
Gogia argues in favor of a better reporting structure for cybersecurity.
“We’re seeing the emergence of the chief digital risk officer (CDRO) model, which reframes the role altogether. Rather than being a technologist reporting into infrastructure, the CDRO is a senior executive responsible for digital risk across cyber, data, AI, and third-party exposure,” Gogia says. “This role often sits beside the CRO and CFO, not below them. It reflects the reality that digital risk is not a subset of IT. It is a board-level category in its own right.”
No Responses