The CISO reporting line is one of those decisions that sounds organisational and behaves strategic. Putting it under the CIO is now a meaningful indicator of governance maturity — or its absence.
Where the CISO sits in the organisational structure has become a structural risk indicator — and boards that have not revisited this in the last two years are probably running a configuration that is no longer appropriate.
The traditional CISO-reports-to-CIO structure had logical roots. Cybersecurity was an IT discipline, the threats were largely technical, and the budget was IT-budget. The structure worked acceptably for two decades. It is now systematically inadequate for three reasons.
First, the threat profile is operational, not just technical — ransomware, supply chain compromise, and regulatory exposure are board-level questions that need a CISO with cross-functional standing. Second, regulatory expectations have shifted — DORA, NIS2, sector regulators increasingly expect cyber to be governed at executive level, not nested under IT. Third, the structural tension between IT delivery priorities and security priorities means that a CIO-direct CISO will always have moments where their advice is filtered by their boss's other priorities.
Three reporting patterns now distinguish organisations with mature cyber governance. First, CISO reports to CRO or to a Chief Resilience Officer — appropriate where the regulatory and operational risk dimension dominates. Second, CISO reports to COO — appropriate where operational resilience is the primary concern and the organisation's risk function is not yet at the right level.
Third, CISO reports directly to the CEO with strong audit committee engagement — appropriate for organisations where cyber is genuinely strategic and the CISO is at the right executive level. Each pattern has trade-offs. The common feature is that the CISO is not inside the IT function reporting to the executive responsible for IT delivery.
For organisations changing the structure, three considerations matter. First, the CISO profile may need to change with the role — the CISO who reports to the CIO is often a technical leader; the CISO who reports to the CRO or CEO needs to be a senior executive with technical depth, which is a different profile.
Second, the relationship with the CIO must be deliberately rebuilt — peers, not boss and report, with explicit operating cadence. Third, the audit committee's engagement model must mature — quarterly meaningful reviews, not annual presentation slots. Organisations that make these three moves together produce real governance uplift. Organisations that change the reporting line without the others produce dysfunctional structures.
If this resonates and you are leading a CISO reporting line that has not been revisited in the last two years, Grant & Graham can help. We provide governance design, executive structure advisory, and cyber resilience programmes for boards, audit committees, CEOs, and CROs across EMEA. Start a conversation.