CISO Sentinel

New data from IANS shows that 64% of CISOs still report to a technology leader, despite years of debate about the need for a direct line to the business. This isn't just an org chart issue; it's a fundamental constraint on the CISO's ability to be a true strategic partner.

It's one of the longest-running debates in cybersecurity: where should the CISO report? For years, the conventional wisdom has been that a direct line to the CEO or another business leader is essential for the CISO to be effective. And yet, the latest data shows that we are still a long way from that reality.

According to the IANS 2026 State of the CISO Infographic, a staggering 64% of CISOs still report to a technology leader, typically the CIO or CTO. Only 36% report to a business leader, and even within that group, the reporting lines are fragmented. This isn't just a matter of organizational structure; it's a reflection of how cybersecurity is still perceived in many organizations: as a technical problem to be managed, rather than a business risk to be addressed.

When the CISO reports to the CIO, there is an inherent conflict of interest. The CIO is responsible for delivering technology services, and security can often be seen as a roadblock to innovation and speed. This can put the CISO in the difficult position of having to advocate for security measures that may be at odds with the CIO's priorities.

Furthermore, reporting to the CIO can limit the CISO's visibility and influence at the board level. While the CISO may have a dotted line to the board, the primary channel of communication is often through the CIO, which can filter and dilute the CISO's message.

The IANS data also reveals an interesting trend: in smaller organizations (less than $1 billion in revenue), CISOs are more likely to have an executive-level title and report to a business leader. This suggests that in more agile, less bureaucratic organizations, there is a greater recognition of the strategic importance of cybersecurity.

So what's the solution? There is no one-size-fits-all answer, but it's clear that the conversation needs to shift. CISOs need to be more proactive in demonstrating the business value of cybersecurity, and boards need to be more demanding in their oversight of cyber risk. As long as the CISO is buried in the IT organization, cybersecurity will remain a technical sideshow, rather than a strategic imperative.

CISOInternals

The CISO Reporting Paradox: Why Reporting to the CIO is Still the Norm, and Why That's a Problem

Related Coverage

Your Product Roadmap is a Lie. Here's Why.

The Quiet Genius Who Just Sold His Second Company to a Tech Giant