Who should the CISO report to?

Team & Organizational DesignSecurity Strategy & Roadmap

CEO19%

COO22%

CFO14%

CIO33%

Board7%

Not sure2%

Other (please specify in the comments)1%

203 PARTICIPANTS
2.5k viewscircle icon2 Comments
Sort by:
Director of Engineering in Healthcare and Biotecha year ago

Chief Compliance Officer or Chief Legal Officer are two other options. Key is independence between the CISO and the CIO to ensure unbiased oversight of cybersecurity independent of IT operational priorities.

Executive Director of Technology in Healthcare and Biotech2 years ago

Agree with Brad. It's an absolute conflict of interest to report to the CIO in my opinion. I'd go with CEO most likely. 

Content you might like

Which of these areas are you targeting for funding increases in your 2026 cybersecurity budget? (Choose all applicable)

Threat detection & response 50%

Identity & access management 61%

Cloud security 48%

Security awareness training 30%

Other 2%

N/A

View Results

What are the challenges and best practices in implementing robust time-sensitive access controls and location-based risk assessments for secure remote work environments?

Read More Comments

Would you prefer to build or buy a cybersecurity mesh architecture (CSMA) solution?

Build27%

Buy53%

Too early to tell16%

What’s cybersecurity mesh architecture (CSMA)?2%

View Results

What sorts of challenges have you encountered in adapting your governance framework to address AI adoption across business units, and how are you attempting to resolve these?

Read More Comments

Most of the application team I lead is in Brazil and the global IT leadership (US-based) now wants to move some of that work to a new global delivery center in India to be more cost effective, but I have doubts. The Brazil team is delivering good quality — is cost efficiency enough reason to relocate the work? What are the biggest pros/cons we need to consider?