What is the reporting line for Information Security in your organization?

Leadership Architecture

Via the CIO/CTO57%

Via the CRO29%

Via the CFO7%

Our CISO reports directly to the CEO6%

882 PARTICIPANTS

7.7k views4 Comments

Sort by:

Strategic Banking IT advisor in Banking2 years ago

For years, Security has been part of IT. But since 3 or 4 years, the team is not directly under the CEO. Which makes sense since Security isn't only IT. It includes physical security (offices, buildings, employees), risks, cybersecurity, data protection, etc.

Being under the CEO is also giving them a total independance over IT or LOB.

vp information technology in Consumer Goods3 years ago

CISO is a risk manager and as such should report to COO, GC, CFO or CEO. What say you all?

Director in Manufacturing4 years ago

Ours was directly to CEO for years until a major breach and the CEO realized he wanted an extra layer of insulation from CISO and any blame. Now CISO and CIO report to CFO with a dotted line to CTO in Engineering

Director of Information Security in Energy and Utilities4 years ago

Would be interesting to see this trend over future years. Supposedly there's been a lot of talk over last few years that InfoSec should be reporting to someone other than CIO (to avoid conflict of interest issues) but reality is that that is still the most prevalent relationship and if it is changing then the pace of change is very slow. Curious if anyone has seen in their orgs this change?

Content you might like

How can the risk management function be strengthened to counterbalance overly aggressive executive decisions?

What’s your organization doing to protect against risks related to disinformation? How are you approaching this & which business unit leaders are currently involved?

Are you using OKRs (Objectives and Key Results)?

Not using OKRs47%

Using OKRs within some business units44%

Using OKRs enterprise wide7%

View Results

Disesdi Susanna Cox outlines 3 critical threats:
1. Non-deterministic decisions – same prompt, different actions (e.g., unintended transfers).
2. Cascading failures – multi-step tasks = more attack surface.
3. Emergent behavior – guardrails can’t cover infinite edge cases; focus on blast radius and recovery.

3 Controls to Implement Now:
• Map agent workflows to attack tactics (MITRE ATLAS)
• Weekly prompt-injection tests (OWASP + CSA)
• Least-privilege, expiring agent tokens (NIST AI RMF + CSA MAESTRO)

Which control or framework gives you the biggest headache, and how are you tackling it?

Full analysis: https://disesdi.substack.com/p/openai-just-dropped-their-agentic

Which of the following actions do you believe the technology sector should take the most seriously in order to promote inclusion and diversity?

Hire more people from underrepresented groups9%

Create a more inclusive workplace culture39%

Advocate for policies that support diversity and inclusion32%

Educate employees about unconscious bias and microaggressions13%

Invest in programs to develop the skills of underrepresented groups6%