CIO Insight: CISO Reporting Structure

The National CIO Review polled our exclusive CIO Professional Network to see where this structure still stands - these are the results.
H. Michael Burgett
Contributing Writer

Long before the COVID-19 crisis, the Chief Information Security Officer role has been on a path of increased influence across the corporate enterprise. As organizations consider their response to a distributed workforce and the continued growth of security obligations, the reporting structure for the CISO continues to evolve and will be heavily debated.

In June 2020, The National CIO Review polled our 2000+ member CIO Professional Network* to obtain the current state of the CISO reporting structure. 

To whom, in fact, does a CISO report? The data shows that the current structure for most CISOs still has them reporting primarily to the CIO/CTO of the company. While other national studies show a larger percentage reporting directly to a CEO versus these findings, our members report while that might be preferable, reality may not currently align.

As a follow-up question, our CIO Network members were also requested to report how their top security professional is titled in their organization.  While over 50% of organizations recognize this role at the C-level, less than 40% keep this function titled at the Director level or below.

In conclusion, we are in a state where the influence of the top information security professional continues to expand.  Organizations of all sizes are placing more responsibility upon this very important role and we are sure that the reporting structure and executive level of the CISO will continue to evolve.


*The CIO Professional Network is an active, member-driven network where technology leaders share best practices and insight on common issues. The network provides a forum for ongoing and mutually beneficial interactions. To request membership navigate to the CIO Professional Network.

Enter your username and password to log into your account