What is the reporting line for Information Security in your organization?

LeadershipArchitecture

Via the CIO/CTO57%

Via the CRO29%

Via the CFO7%

Our CISO reports directly to the CEO5%

868 PARTICIPANTS
7.7k viewscircle icon4 Comments
Sort by:
Strategic Banking IT advisor in Banking2 years ago

For years, Security has been part of IT.  But since 3 or 4 years, the team is not directly under the CEO.   Which makes sense since Security isn't only IT.   It includes physical security (offices, buildings, employees), risks, cybersecurity, data protection, etc.

Being under the CEO is also giving them a total independance over IT or LOB.

vp information technology in Consumer Goods3 years ago

CISO is a risk manager and as such should report to COO, GC, CFO or CEO. What say you all?

Director in Manufacturing4 years ago

Ours was directly to CEO for years until a major breach and the CEO realized he wanted an extra layer of insulation from CISO and any blame. Now CISO and CIO report to CFO with a dotted line to CTO in Engineering

Lightbulb on1
Director of Information Security in Energy and Utilities4 years ago

Would be interesting to see this trend over future years. Supposedly there's been a lot of talk over last few years that InfoSec should be reporting to someone other than CIO (to avoid conflict of interest issues) but reality is that that is still the most prevalent relationship and if it is changing then the pace of change is very slow. Curious if anyone has seen in their orgs this change?

Content you might like

For large-scale transformations, would you consider complementing your technology and process work with consulting focused on leadership alignment, mindset transformation, and accelerating measurable results across teams?

Read More Comments

What adjustments are you planning to make to your org’s cyber budget for 2026 (if any)?

As a workflow management / Service desk / Help-Desk / Support center key stakeholder, do you consider this activity fully optimized within your company?

If not, what would be the top 2 elements that could be improved the most according to you?

Costs involved by this activity (external and internal)24%

Response time / waiting time / resolution time70%

Resolution quality39%

Automation21%

Knowledge / skills / know-how / expertise8%

View Results

When it comes to running phishing simulation campaigns. What is the best practice on how often they should be run and at what cadence should phishing simulation emails be sent out? Some organizations only run a campaign once per quarter sending out a simulated phishing email about once per week while other organizations run continuous campaigns sending out phishing simulations about once every 2 weeks. What are other organizations doing and what is the best practice?

Read More Comments

What capabilities do you have to control AI access to data sources at your organization?

data security posture management 43%

data loss prevention 71%

data access governance 57%

encryption 43%

privacy enhanced technology 14%

use of synthetic data 29%

None, not using AI

View Results