Should CISOs Report Directly to the CEO? A Strategic debate

John C. Fay MBE - April 2025

Scene Setting

In an era increasingly defined by digital interdependence, geopolitical instability, and sophisticated cyber threats, the question of how cybersecurity leadership is structured within organisations has taken on new urgency. One key consideration gaining traction across industries is whether CISOs should report directly to the CEO. This debate is not purely one of organisational structure; it reflects a deeper strategic conversation about how seriously cybersecurity is treated at the most senior levels of leadership.

This essay explores both sides of the argument, weighing the potential benefits and risks associated with elevating the CISO to report directly to the CEO. It ultimately leans towards supporting the change, while acknowledging that further comprehensive research is necessary to draw definitive conclusions applicable across diverse sectors.

The Case for Direct Reporting: Cybersecurity as a Strategic Priority

The most compelling argument for CISOs reporting directly to the CEO lies in the evolving nature of cybersecurity itself. What was once considered a technical, back-office function has become a central strategic concern. Cyber incidents today are not confined to IT systems; they often have wide-ranging implications for business continuity, public trust, regulatory compliance, and even national security. The digital threat landscape in 2025 is characterised by increasingly targeted attacks, many of which are linked to sophisticated criminal groups and or state-sponsored actors such as Russia, Iran, North Korea and China,

In this context, it is increasingly untenable for cybersecurity to remain subordinate to traditional IT functions. A direct reporting line to the CEO places the CISO at the heart of executive decision making, allowing for faster responses to emerging threats, better alignment between cyber risk and corporate strategy, and clearer lines of accountability in times of crisis. Delays in decision making during a cyber incident can cost organisations millions, while fragmented oversight can lead to vulnerabilities being overlooked or misunderstood.

Additionally, the most persistent weakness in organisational cybersecurity is not technological, t is actually human. Studies by IBM suggest that human error is involved in approximately 68 percent of security breaches, including through phishing attacks, poor password hygiene, and misconfigurations. To address this, cybersecurity must surely become embedded in the culture of the entire organisation, not just within technical teams. CISOs who sit on the executive team are better positioned to influence this cultural change, shaping behaviour across all levels of the business and reinforcing secure practices from the top down.

A number of major US organisations have already adopted this governance model. At JPMorgan Chase, Rob Alexander’s direct reporting relationship with the CEO ensures security is treated as integral to global operations. Bank of America and Visa follow a similar approach, positioning their CISOs, Stephanie Hodges and Neil Schwartz, respectively at the core of strategic planning and risk oversight. These examples suggest that in sectors where the potential impact of a breach is especially high, embedding the CISO within the executive leadership team is already seen as good governance and sound business practice.

Counterarguments: Risks and Limitations of Structural Change

Despite these strong arguments, there are valid concerns about the practicality and necessity of altering reporting lines in all organisations. Traditionally, CISOs have reported to the Chief Information Officer (CIO), Chief Operating Officer (COO), or even the Chief Risk Officer (CRO), depending on organisational structure and industry. In many cases, these arrangements have worked effectively, particularly when the CISO has access to the board and is supported by a leadership team that understands and prioritises security.

One potential risk of changing reporting structures is the fragmentation of technical functions. When the CISO is removed from the broader IT or operational ecosystem, there is a risk that coordination between teams may suffer, or that strategic objectives become misaligned. Furthermore, placing the CISO directly under the CEO may create tension or competition for resources with other departments, especially if roles and responsibilities are not clearly defined.

There is also a concern about overloading the CEO with yet another direct report, particularly in large organisations where the executive team is already stretched thin. In such cases, it may be more effective to ensure the CISO has board-level visibility and influence, without necessarily adding to the CEO’s day-to-day operational responsibilities.

Moreover, structural change alone does not guarantee improved outcomes. The effectiveness of a CISO depends as much on their ability to influence, communicate, and lead cultural change as it does on their position within the hierarchy. Simply moving the reporting line without addressing underlying issues such as budget, authority, or leadership capability may have little practical impact.

A Balanced Perspective: The Case for Further Study

While the trend towards CISOs reporting directly to the CEO appears to be gaining momentum, especially in critical industries, it would be premature to advocate this approach as a one size fits all solution. Organisational maturity, industry specific risks, existing governance frameworks, and leadership dynamics must all be taken into account.

However, early evidence suggests that this structural change can deliver significant benefits in terms of response agility, cultural transformation, and strategic alignment. It also sends a clear message both internally and externally: that cybersecurity is not a secondary issue, but a core business concern.

Therefore, while the argument in favour of direct reporting is persuasive, particularly in high-risk sectors such as finance, utilities, defence, telecommunications, and healthcare, a comprehensive, cross sector study is needed to understand the long term implications of this shift. Such research should consider not only cyber outcomes, but also impacts on leadership effectiveness, organisational resilience, and board level engagement with risk.

Summing up

In a world where cyber threats are both a strategic and existential challenge, it is right to question whether traditional governance models are still fit for purpose. Placing the CISO on an equal footing with other executive leaders by establishing a direct reporting line to the CEO may well be a step towards greater organisational resilience.

Yet, this approach is not without its challenges. The success of any structural change depends on context, execution, and the readiness of the wider organisation to support it. What is clear, however, is that cybersecurity leadership can no longer be siloed or reactive. It must be embedded at the highest level of the organisation, guided by informed leadership and underpinned by a strong, security conscious culture.

In that spirit, the debate about CISO reporting lines should not be seen as a binary choice, but as part of a broader conversation about how organisations structure themselves for resilience in 2025 and beyond The early evidence is promising, but to move forward with confidence, we must invest in further analysis, learning not only from success stories, but also from the complexities and challenges that come with change.