top of page
Search

Playing Devil’s Advocate: Why the CISO Shouldn't Always Report to the CEO

  • Writer: Martin Bally
    Martin Bally
  • Mar 24
  • 4 min read

I want to play Devil's Advocate for a minute. If you read the latest industry articles or listen to the loudest voices in the room, there is a constant, almost dogmatic drumbeat: The CISO must report directly to the CEO. But after a career spent reporting across the entire C-suite, from the CIO and COO to the CFO, and General Counsel. I recently presented on a HMG Advisory Board meeting on the topic. I'll give you my personal experience on why that direct reporting line is not for everybody.


In fact, blindly placing a CISO under the CEO without considering the individual or the company culture can actually be a recipe for failure. Here is why we need to rethink the CISO reporting structure, and why business acumen matters far more than where you sit on the org chart.


The Industry Factor: Tech vs. Legacy

First and foremost, the ideal reporting structure heavily depends on the type of organization. If a company is purely tech-driven, think SaaS, AI, or born-in-the-cloud startups, having the CISO report directly to the CEO makes a lot of sense. In those environments, the technology is the product, so cyber risk is directly tied to the company's survival.


But look at legacy industries, manufacturing, or heavy industrials. In those environments, the CEO's primary focus is often supply chain, physical production margins, or legacy operations. Forcing a CISO to report to the CEO in those sectors might actually misalign security from where the real operational risks lie. In those cases, the CISO might not belong under the CEO at all; they might be far more effective reporting to a COO who controls the plant floor or a CRO managing enterprise risk.


The "20% Reality" of the Modern CISO

Historically, the CISO role was filled by highly technical professionals. Today, the industry expects these technical experts to instantly transform into seasoned business executives. The reality? Probably only about 20% of current CISOs have the deep business savvy required to effectively report directly to the CEO or executive leadership.


When a purely technical CISO reports to the CEO, they often get lost in translation, struggling to articulate their value. Furthermore, a direct-to-CEO CISO in certain organizations might find themselves on the road constantly, pulled into customer meetings, M&A discussions, and leadership events. This can take them entirely away from their core responsibilities. Often, a periodic, highly effective checkpoint with executive leadership is all that is actually needed.


Learning from the Rest of the C-Suite

There is a massive, overlooked benefit to reporting outside of the CEO's office. A CISO who understands how to leverage different reporting lines can build vital cross-functional skills:


  • The CIO (The Power of Two Voices): Many CISOs actually need the CIO's help and structural support. Far from being a conflict of interest, aligning closely with the CIO means you now have two powerful voices advocating for technology and security resources.

  • The General Counsel (The Storytellers): In highly regulated spaces like FinTech, reporting to the GC is invaluable. Lawyers are objective, fact-driven, and master storytellers. A CISO reporting here learns how to drop the technical jargon, use effective analogies, and relate security directly to product liability and legal risk.

  • The CFO (The ROI Check): Reporting to the CFO forces a CISO to develop financial acumen. If you cannot translate cyber risk into financial impact and ROI, you will fall flat. It forces the CISO to speak the language of the bottom line.


The Unique Vantage Point of Technology

Today, successful companies must have a "technology-first, AI-first" mentality. Because IT and Security integrate with every single department, from HR to supply chain to finance, technology leaders have a better understanding of how the business truly runs than almost anyone else in the company.


A successful CISO leverages this vantage point. They understand the dependencies across the enterprise, participate in strategic planning, and align their security initiatives directly with business operations.


The Ultimate Goal: Shareholder Value and Board Governance

To truly succeed, a modern CISO must stop looking at security in a vacuum and start looking at it through the lens of board governance. The ultimate goal of the board is to return shareholder value.


For CISOs looking to elevate their strategic impact, I highly recommend pursuing certifications beyond traditional technical tracks. Credentials like the NACD (National Association of Corporate Directors) certification and the QTE 501 (Qualified Technology Expert) are game-changers. They teach you how to understand board governance, evaluate digital and systemic risk, and, most importantly, measure and translate that risk back to the board in a way that protects and drives shareholder value. And having two tech savvy board members is what is making companies more successful and delivering significant value.


The Bottom Line: Don't obsess over the reporting line. Obsess over your business acumen. A business-savvy CISO who builds relationships, understands enterprise dependencies, and speaks the language of the board will succeed no matter where they sit on the organizational chart.

 
 
 

Comments

bottom of page