A significant majority of security leaders still report to IT — a situation rife with conflicts of interest given how AI and business risks are spurring CIO and CISO roles to separately evolve, experts say.

CSO Online offers insights into cybersecurity, risk management, and IT leadership, providing articles, reports, and expert analysis to help security professionals navigate the evolving threat landscape and protect their organizations from cyber attacks. By exploring CSO Online's curated content, CISOs, security managers, and IT executives can learn about threat intelligence, security frameworks, and incident response strategies for building resilient cybersecurity programs. Whether you're defending against ransomware, phishing attacks, or insider threats, CSO Online offers resources to strengthen your security posture and safeguard your digital assets.

CSO Online

64% of CISOs still report to IT leadership (CIO or CTO), a structure that security experts argue creates inherent conflicts of interest. The CIO is incentivized for efficiency and delivery velocity, while the CISO must prioritize risk reduction — goals that frequently clash over budgets, patching schedules, and resource allocation. Multiple security leaders and analysts advocate for CISOs reporting directly to the CEO or general counsel to ensure unfiltered risk escalation. Some analysts point to an emerging 'Chief Digital Risk Officer' model that positions digital risk — spanning cyber, data, AI, and third-party exposure — as a board-level function alongside the CFO and CRO rather than beneath IT.

It’s time to rethink CISO reporting lines