Let’s get one thing clear before the polite-speak kicks in: putting your CISO under the CIO is like asking your arsonist to supervise the fire inspector. What twisted org chart conjured that nonsense?
The CISO’s job is to scream “STOP” when everyone else is high on digital Kool-Aid and barreling toward a cliff. The CIO? Their job is delivery. Features. Uptime. Deploy fast, pray later. They see the CISO not as a partner, but as a speed bump with a salary. So why, in the name of Sarbanes-Oxley, would anyone think it’s a good idea for the person responsible for protecting the company to report to the person whose bonus depends on ignoring that protection?
Here we are again. The Chief Information Security Officer, the supposed guard of your digital kingdom, ends up chained to the Chief Information Officer or Chief Digital Officer. Did we think it through? That structure makes no sense unless you enjoy pretending your front door has a lock while the security guard works for the intruder.
CISOs are expected to be business leaders, but many are placed far below the level where key decisions are made. I’ve heard CFOs and finance folks talk confidently about EBITDA, only to completely miss the disconnect between that and revenue. GAAP vs. non-GAAP isn’t just accounting trivia, it shows how people latch onto numbers they barely understand, while ignoring the full picture. This is how CISOs get hanged before the crime. For the record, Charlie Munger is my hero.
People treat enablers and blockers as binary. Business is full of risk, but there’s a line between taking risks and being reckless. Security is often seen as a blocker because it insists on brakes when the car’s speeding toward a cliff. The right business leaders ask, “Is the juice worth the squeeze?” and are ready to call it when it isn’t.
So let’s break this down. The CISO should report directly to the CEO or, better, to the entire C-suite. Not to anyone with skin in the tech-delivery game. The CISO protects the company from malicious actors and digital failure. When that fails, the CISO becomes the IT janitor. The CEO and team own risk. They must be in the same room as the CISO, but never in a chain of command where conflict of interest becomes policy.
If direct reporting to the CEO isn’t possible, there is a backup option. The CISO can report to someone with the power to enforce risk-based decisions. This person must have the authority to stand up to the CIO and say, “Security isn’t optional, and this company will comply.” Usually, that’s the Chief Risk Officer or the General Counsel. They don’t care about uptime. They care about solvency, court dates, and regulatory landmines. They understand the costs of silence and the damage of delay.
What makes this structure work is simple: both CRO and GC report to the CEO or Board. That makes a security issue an enterprise risk, not just a tech problem. This keeps security independent and forces the company to take it seriously.
Why doesn’t this happen more often? Because pretending security is just a technical problem is easier. Give it to IT. Move on. But most security issues are really trade-offs between convenience and survival. That decision has to be made above the tech layer.
The CISO needs direct access to the CEO. No delays. No filters. Just clear, honest conversations. Monthly briefings. Decisive meetings when alarms go off. A CISO must teach the CEO how to read the weather. Security is not just one box on a form. It’s the pressure holding up the whole building. Without that clarity, the system breaks.
No structure is perfect. Every org is different. Every executive team is different. Every CISO is different. That means many walk a tightrope soaked in gasoline, while everyone else flings matches.
When I work with a new company, I watch what happens after the first meeting. I’ve worked with a CEO of a 40,000-person firm who met with me monthly. That company wasn’t even tech-heavy. At another firm, smaller, I never saw the CEO except at Board meetings. That told me everything.
When the CISO reports to the CIO, that link breaks. Suddenly, security becomes just another cost center. Warnings are seen as friction. Budget fights take priority over protection. That’s why data disasters keep happening: the security voice is dulled, drowned, or deleted.
The mental model matters. Would you let the coach choose the referee? That ruins the game. Yet we let CIOs pick the person meant to keep their work honest. The people pushing releases often have no emotional or financial stake in failure. But when a breach happens, everyone burns.
Customers and shareholders believe their data is secure. That requires independence. If your CISO answers to your CIO, there is no independence. When things go wrong, regulators investigate, investors panic, and trust disappears. And the CISO? Hidden behind a chain of budget requests and political risk avoidance.
I’ve worked under great CIOs. FISMA made the CISO report to the CIO. That became the default. Before that, CSOs had wider latitude. I’ve run both physical and digital security. I’ve reported to just about everyone. The title matters less than the integrity of the person in charge. One CIO shift can flip a role from empowered to neutered.
Some companies are dropping the CISO entirely. They fold it into the CIO, merge duties, call it savings. This overlooks the cost of fines, lawsuits, and damage. Boards may think cyber risk is a footnote. Until it’s a headline. They reassign CISO roles to digital leads who treat it like backlog, not leadership. Then comes the breach, and suddenly there’s a new CISO. But now, that person just signs reports written by the team under the CIO’s command. No real power. No real defense.
Why fold it under IT? Because it makes delivery easier. Tech leaders love growth. Security slows it down. Compliance eats sprints. So they wrap the CISO into digital orgs and kill the dissent. Then security becomes invisible, until it explodes.
That move is regression. Security becomes a checkbox. Real authority vanishes. Red flags go silent. Breaches creep through. Bots pivot laterally. And zero-days stay open, not for lack of patches, but because approval chains blocked the fix.
That is not security. That is negligence.
Imagine a power grid where safety engineers report to the lineman. That’s not oversight. That’s a meltdown waiting for a spark.
CEOs sometimes bury CISOs under CIOs for deniability. They won’t say it, but it gives them distance from blame. But if a breach wipes out $3 million in data, that distance means nothing. The courts don’t care. Neither do regulators. Or customers.
I can hear the wild melancholy call of the external counsel. A wonderful bird of prey. Let me count the ways they exacerbate breaches. But that is a story for another flaming tightrope of doom and another time.
It happens in cycles. After a breach, the CISO rises. Board access. Budget. Respect. Time passes. No breach. They bury the role again. Then comes another breach. Same pattern. Same failure.
External audit firms sometimes ask me to sign non-interference statements. Just to confirm I can speak directly to the board without being edited. I’ve only signed once. Most CISOs I meet don’t even grasp the difference between the executive team and the board. In regulated industries, the CISO has responsibility to both. In looser ones, that balance often vanishes.
What should break the cycle? Security engineering.
Not just audits or posture slides. Real engineering. Security baked into infrastructure, from line one of code. Threat modeling. Policy-as-code. Validations in CI/CD. Autonomy in tooling. Continuous IR exercises. This takes budget, scale, and authority. And it fails if the CISO answers to the CIO.
Security engineering is about ownership. CISOs must lead. They must design. The CFO, GC, and COO should be equals in risk. Security isn’t a ticket queue. It’s part of system design. Leadership must require DevSecOps from day one. Pull requests should carry threat scans. Packages should come from vetted sources. Engineers should reject weak libraries. And CISOs should be able to halt projects, not just give adviceIt only happens when the CISO reports to the CEO or board.
Too often, CISOs are placed in IT orgs because it is all technical stuff (according to the CEO). Only to find the barren wasteland on fire and not allowed to touch the technology. Once in a while, they hand you a glass of water and say handle it.
The Board of Directors, especially the Audit Committees, needs direct security input. Because they oversee legal, financial, reputational, and compliance risk. They see the full chessboard. There is a distinction between the management team and the board of directors. A Good CISO will understand that.
That only happens when the CISO reports to the CEO or board. The Board of Directors, especially Audit Committees, need direct security input. Because they oversee legal, financial, reputational, and compliance risk. They see the full chessboard. There is a diect distinction between the management team and the board of directors.
So who should report to the CISO? Everyone responsible for risk defense. Security engineering. Incident response. Identity and access. Risk and compliance. Security operations. Architecture. All of it.
Not dotted lines. Not advisory roles. Real reporting lines. That’s how you build accountability. Split these teams and you guarantee failure.
Build like it matters. Because it does. If you treat security as optional, it will fail when you need it most. If you give it power and independence, you give your business a fighting chance.
About the Author
