Here is Alissa Irei from TechTarget. Here is John Burke from Nemertes Research. This is the latest update as of May 11, 2026. Who should the Chief Information Security Officer (CISO) report to and who should they be accountable to? It depends on who you ask and what the organization wants to achieve by establishing a CISO role. However, for the majority of enterprises, it is essential that the CISO reports directly to a member of the board and not to the CTO, with management layers between the CISO and the CEO kept to a minimum. Research shows that enterprises achieve worse security outcomes—measured by objective and concrete indicators—when the CISO reports to someone who is neither the CEO nor reports directly to the CEO. Typical CISO reporting lines. CISOs typically report to a senior executive such as the CEO, COO, or Chief Risk Officer (CRO), or to a technology manager, usually the CIO. The reporting line reflects how the organization perceives cybersecurity: as a strategic business factor, as a function primarily responsible for business continuity and data integrity, as part of enterprise risk management, as a compliance obligation, or simply as a technical security activity to support IT operations. When the CISO reports to the CEO, cybersecurity is positioned as a strategic business factor. Research shows that organizations where the CISO reports directly to the CEO typically achieve the best security outcomes. Benefits of the CISO reporting to the CEO.
ComputerWeekly.de