Hier ist Alissa Irei von TechTarget. Hier ist John Burke von Nemertes Research. This is the latest update as of May 11, 2026. Who should report to the Chief Information Security Officer (CISO), and to whom should this role itself report? It depends on whom you ask and what the organization aims to achieve by establishing a CISO role. However, most companies consider it essential that the CISO reports directly to a member of executive leadership—ideally the CEO—and not to the CTO, with as few management levels as possible between them. Research shows that organizations achieve worse security outcomes—measured by objective and concrete indicators—when the CISO reports to someone who is neither the CEO nor reports directly to the CEO. Common CISO reporting structures. CISOs typically report to a senior business executive such as the CEO, COO, or Chief Risk Officer (CRO), or to a technology manager, most often the CIO. The choice depends on how the organization views cybersecurity, whether as a transformative business factor, as a factor in ensuring business continuity and integrity, as an element of risk management, as a compliance requirement, or as a security function subordinate to one of IT services. When the CISO reports to the CEO, cybersecurity is viewed as a strategic business factor. Research shows that organizations in which the CISO reports directly to the CEO generally achieve superior cybersecurity outcomes. Benefits when the CISO reports to the CEO.
ComputerWeekly.de