A substantial number of security leaders continue to report to IT departments, a situation experts believe is fraught with conflicts of interest. This issue is becoming more pronounced as artificial intelligence and evolving business risks drive the Chief Information Officer (CIO) and Chief Information Security Officer (CISO) roles to develop independently.
Even with increased visibility in the C-suite and broader business recognition, security leaders often remain distant from an organization’s top executive leadership in terms of their reporting lines.
The 2026 State of the CISO Benchmark Report by IANS Research and Artico Search indicates that 64% of CISOs still report to IT, typically to the CIO or CTO. Only 11% report directly to the CEO, while others report to the CFO (5%), chief risk officer (5%), legal counsel (5%), or various other business roles (5%).
While the survey noted a gradual shift in reporting lines and the growing importance of dotted-line responsibilities, traditional structures largely persist. This raises a critical question: Is this reporting arrangement still effective?
The long-standing concern with CISOs reporting to CIOs is the potential for, or perception of, a conflict of interest.
Cybersecurity consultant Brian Levine, executive director of FormerGov and a former federal prosecutor, suggests this concern is even more valid today. He describes it as a “legacy model” that treats security as a technical function rather than an enterprise-wide risk discipline. Levine explains that when a CISO reports to a CIO, cost containment might take precedence over risk reduction.
Conflicts of Interest
Levine asserts that reporting to a CIO inherently creates a conflict of interest. He elaborates that CIOs are often rewarded for efficiency and cost savings, whereas CISOs are tasked with identifying risks that frequently necessitate new expenditures. He likens it to a fire marshal reporting to someone whose bonus depends on reducing the number of sprinklers.
Levine advocates for enterprise CISOs to report at a higher level. He suggests that ideally, a CISO would report to the CEO or general counsel, roles explicitly accountable for enterprise risk. He emphasizes that security is fundamentally a risk and governance function, not merely a cost center. When CISOs have independence and a direct line to top leadership, organizations can make clearer, more informed decisions about risk, rather than just cheaper ones.
Zach Lewis, CISO at the University of Health Sciences and Pharmacy in St. Louis, concurs that reporting to IT creates a conflict. Lewis points out that a CIO prioritizes system availability, while a CISO may need to take systems offline for patching or fixes. He offers a hypothetical scenario where a CIO might discourage a security upgrade to avoid impacting their bonus.
Flavio Villanustre, CISO for the LexisNexis Risk Solutions Group, identifies resource allocation as another area of conflict. He notes that IT executives are often heavily incentivized to deliver new capabilities, which can strain the resources available to the CISO when trying to embed security and privacy into these projects.
However, Villanustre also cautions that having the CISO report to roles like general counsel or CFO “could negatively impact the alignment between CISO and IT,” which is crucial for the CISO’s effectiveness. He warns that such shifts could be counterproductive.
With increasing regulatory pressure, particularly in financial services, Villanustre anticipates greater scrutiny on CISO reporting structures. He believes significant changes to current CISO reporting statistics are likely in the near future.
What’s in a Reporting Line?
Aaron Painter, CEO of security vendor Nametag, suggests that the actual reporting structure is less important than the respect and influence a CISO commands. Painter states he is “less dogmatic about where the CISO reports and more focused on whether they actually have a seat at the table.”
He adds that “org charts matter far less than influence.” Painter argues that the real question is whether the CISO is involved early, listened to, and empowered to shape business operations. If these conditions are met, the structure functions; otherwise, no reporting line will ensure success.
Sanchit Vir Gogia, chief analyst at Greyhound Research, contends that the practice of CISOs reporting to an IT executive is “one of the most structurally damaging legacy habits” in enterprise security governance. He acknowledges that it might appear as a clear alignment on paper, but in practice, it acts as a “governance anti-pattern” that silently undermines the CISO’s ability to reveal truths, escalate risks, and hold the organization accountable. Gogia warns that while keeping security under IT might seem convenient, it represents a “structural vulnerability disguised as tradition” in today’s threat landscape.
Gogia, like others, emphasizes the potential for conflicts of interest. He explains that a CIO’s role is to enable business through technology, focusing on innovation, delivery, and speed. Conversely, a CISO’s role is to identify and mitigate risk, even if it means slowing things down. When the CISO reports to the CIO, risk information can be filtered, deprioritized, or altered to fit a delivery narrative. He clarifies that this is not about malicious intent but about inherent role tension, where risk often loses when this tension exists within the same reporting line.
Furthermore, Gogia believes that security reporting to IT sends “all the wrong cultural signals.” He states that employees understand where power lies. If a CISO is several levels below the CFO, their escalations may not be taken seriously. If a CISO needs permission from their superior to flag a critical control gap, it signifies containment rather than empowerment. Over time, organizations may learn to bypass the CISO for security matters. Gogia stresses that unfiltered visibility and the freedom to present uncomfortable truths without career repercussions are paramount.
Gogia advocates for an improved cybersecurity reporting structure. He highlights the emergence of the chief digital risk officer (CDRO) model, which redefines the role. Instead of being a technologist reporting to infrastructure, the CDRO is a senior executive responsible for digital risk across cyber, data, AI, and third-party exposure. This role often sits alongside the CRO and CFO, not beneath them, reflecting that digital risk is a distinct, board-level category, not merely a subset of IT.
