{"id":7224,"date":"2026-02-24T07:00:00","date_gmt":"2026-02-24T07:00:00","guid":{"rendered":"https:\/\/cybersecurityinfocus.com\/?p=7224"},"modified":"2026-02-24T07:00:00","modified_gmt":"2026-02-24T07:00:00","slug":"its-time-to-rethink-ciso-reporting-lines","status":"publish","type":"post","link":"https:\/\/cybersecurityinfocus.com\/?p=7224","title":{"rendered":"It\u2019s time to rethink CISO reporting lines"},"content":{"rendered":"
\n
\n
\n
\n
<\/div>\n

Despite inroads in the C-suite and rising prominence across the business at large, security leaders are still more likely to operate at a remove from the organization\u2019s executive leadership when it comes to reporting structures.<\/p>\n

According to IANS Research and Artico Search\u2019s 2026 State of the CISO Benchmark Report<\/a>, 64% of CISOs still report into IT, typically the CIO or CTO. Just 11% report to the CEO, while others fall under the CFO (5%), chief risk officer (5%), legal counsel (5%), or other business roles (5%).<\/p>\n

Although the survey found that \u201creporting lines are slowly shifting, and dotted line responsibility is often just as or more important than direct line reporting,\u201d traditional reporting lines still hold, begging the question: Does that reporting structure still make sense?<\/p>\n

The age-old problem with CISOs reporting into CIOs<\/a> is that it could present \u2014 or at least appear to present \u2014 a conflict of interest.<\/p>\n

Cybersecurity consultant Brian Levine<\/a>, a former federal prosecutor who serves as executive director of FormerGov, says that concern is even more warranted today.<\/p>\n

\u201cIt\u2019s the legacy model: Treat security as a technical function instead of an enterprise\u2011wide risk discipline,\u201d he says. \u201cThe problem is that when the CISO sits under the CIO, cost containment may outrank risk reduction.\u201d<\/p>\n

Conflicts of interest<\/h2>\n

Levine agrees that reporting to the CIO creates \u201can inherent conflict of interest.\u201d<\/p>\n

\u201cThe CIO is rewarded for efficiency and savings and the CISO is responsible for identifying risks that often require new spending,\u201d he explains. \u201cIt\u2019s like asking the fire marshal to report to the person whose bonus depends on cutting the number of sprinklers.\u201d<\/p>\n

Enterprise CISOs should be reporting a notch higher, Levine argues.<\/p>\n

\u201cIdeally, the CISO would report to the CEO or the general counsel, high-level roles explicitly accountable for enterprise risk. Security is fundamentally a risk and governance function, not a cost\u2011center function,\u201d Levine points out. \u201cWhen the CISO has independence and a direct line to the top, organizations make clearer decisions about risk, not just cheaper ones.\u201d<\/p>\n

Zach Lewis<\/a>, CISO at the University of Health Sciences and Pharmacy in St. Louis, agrees that a conflict of interest arises in reporting into IT.<\/p>\n

\u201cThe CIO is all about [system] availability whereas the CISO needs to bring systems down so that things can be patched, fixed,\u201d Lewis says, offering that a hypothetical CIO might tell a CISO, \u201cI don\u2019t want you to do [a patch or a security upgrade] because it would impact my bonus.\u201d<\/p>\n

Flavio Villanustre<\/a>, CISO for the LexisNexis Risk Solutions Group, sees resources being another conflict of interest.\u00a0<\/p>\n

\u201cIn many organizations, IT [executives] are heavily incentivized to deliver new capabilities, which could strain the resources available to the CISO when trying to ensure that security and privacy are baked into these projects,\u201d Villanustre says.\u00a0<\/p>\n

At the same time, having the CISO report into someone such as the general counsel or CFO \u201ccould negatively impact the alignment between CISO and IT, which is paramount to making the CISO job more effective,\u201d Villanustre adds. \u201dForcing these types of moves could backfire.\u201d<\/p>\n

With regulatory pressure mounting, especially in financial services, Villanustre believes CISO reporting structures will come under greater scrutiny. \u201cIt\u2019s likely that there will be changes soon that can alter the current statistics [of reporting lines for CISOs] quite significantly,\u201d he says.<\/p>\n

What\u2019s in a reporting line?<\/h2>\n

Aaron Painter<\/a>, CEO of security vendor Nametag, contends that reporting structures often mean less than the respect the CISO is granted.<\/p>\n

Painter is \u201cless dogmatic about where the CISO reports and more focused on whether they actually have a seat at the table,\u201d he says.<\/p>\n

\u201cOrg charts matter far less than influence,\u201d he adds. \u201cWhether the CISO reports to the CIO, the CEO, or someone else, the real question is this: Are they brought in early, listened to, and empowered to shape how the business operates? When that\u2019s true, the structure works. When it\u2019s not, no reporting line will save it.\u201d<\/p>\n

Sanchit Vir Gogia<\/a>, chief analyst at Greyhound Research, argues that the trend to have CISOs report to an IT executive \u201cis one of the most structurally damaging legacy habits still entrenched in enterprise security governance.\u201d<\/p>\n

\u201cOn paper, it may seem like a clean alignment,\u201d he says. \u201cIn practice, it\u2019s a governance anti-pattern that quietly erodes the CISO\u2019s ability to surface truth, escalate risk, and hold the organization accountable. Keeping security under IT may seem convenient, but in today\u2019s threat landscape, it is a structural vulnerability disguised as tradition.\u201d<\/p>\n

Like others, Gogia\u2019s argument falls back to the potential for conflicts of interest.<\/p>\n

\u201cThe CIO\u2019s job is to enable business through technology. Innovation, delivery, velocity. The CISO\u2019s job is to identify and mitigate risk, even when that slows things down,\u201d Gogia says. \u201cWhen the CISO reports to the CIO, risk can be filtered, prioritized out of sight, or reshaped to fit a delivery narrative. It\u2019s not about bad actors. It\u2019s about role tension. And when that tension exists within the same reporting line, risk loses.\u201d<\/p>\n

Moreover, Gogia believes security reporting to IT \u201csends all the wrong cultural signals.\u201d<\/p>\n

\u201cEmployees know where power sits. If the CISO is three levels below the CFO, nobody takes their escalation seriously. If the CISO needs to ask their boss\u2019s permission to flag a critical control gap, that\u2019s not empowerment; it\u2019s containment. Over time, the organization learns to route security around the CISO, not through them,\u201d he says. \u201cWhat matters most is unfiltered visibility and the freedom to present uncomfortable truths without career penalty.\u201d<\/p>\n

Gogia argues in favor of a better reporting structure for cybersecurity.\u00a0<\/p>\n

\u201cWe\u2019re seeing the emergence of the chief digital risk officer (CDRO) model, which reframes the role altogether. Rather than being a technologist reporting into infrastructure, the CDRO is a senior executive responsible for digital risk across cyber, data, AI, and third-party exposure,\u201d Gogia says. \u201cThis role often sits beside the CRO and CFO, not below them. It reflects the reality that digital risk is not a subset of IT. It is a board-level category in its own right.\u201d<\/p>\n<\/div>\n<\/div>\n<\/div>\n<\/div>","protected":false},"excerpt":{"rendered":"

Despite inroads in the C-suite and rising prominence across the business at large, security leaders are still more likely to operate at a remove from the organization\u2019s executive leadership when it comes to reporting structures. According to IANS Research and Artico Search\u2019s 2026 State of the CISO Benchmark Report, 64% of CISOs still report into […]<\/p>\n","protected":false},"author":0,"featured_media":7225,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[3],"tags":[],"class_list":["post-7224","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-education"],"_links":{"self":[{"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/posts\/7224"}],"collection":[{"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/types\/post"}],"replies":[{"embeddable":true,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=7224"}],"version-history":[{"count":0,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/posts\/7224\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/media\/7225"}],"wp:attachment":[{"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=7224"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=7224"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=7224"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}