2026 Report Finds Executive-Level CISO Titles More Prevalent than Ever
January 26, 2026 – The cybersecurity function continues to rise in prominence, expand in scope and gain visibility. Consequently, chief information security officers (CISOs) are increasingly expected to serve not just as technical leaders, but as enterprise-wide strategists. Their rise to the executive ranks brings greater influence but also greater demands, including wider accountability, more cross-functional engagement, and intensified expectations and oversight from senior leadership and boards, according to IANS and Artico Search’s 2026 State of the CISO Benchmark Report.
An executive-level title is widely viewed by CISOs as essential for influencing the business and driving meaningful impact, according to the IANS and Artico report. “It gives them access to strategic discussions, enables them to communicate security risks to top leadership and helps align security priorities with broader business objectives,” the study said. “A CISO’s place in the organizational hierarchy and their reporting line also shapes their visibility and influence. Those with executive-level titles and a reporting line to senior business leaders—formal or informal—are more likely to be involved in strategic decision-making than their director-level peers embedded within the IT function.”
“Executive CISO titling and positioning in a company’s organizational structure is not just about operational efficiency and bringing the right executive level visibility to technical risk discussions and priorities,” said Matt Comyns, president and co-founder of Artico. “When balancing priorities, teams and cross-functional leaders will respond more favorably to a true security executive peer, as opposed to someone several layers below them in an organizational hierarchy.”
Currently, 46 percent of CISOs hold executive-level titles (including EVP and SVP), 27 percent are VPs and 27 percent directors. Across revenue segments, these executive CISOs represent the largest group. “The share of executive CISO titles is largest at both ends of the revenue spectrum—though for different reasons,” the IANS and Artico report explained. “In small firms, leadership teams are lean, and CISOs hold elevated titles because they oversee a broad range of functions, not necessarily because they have enterprise-wide strategic influence. In some cases, an inflated title also helps offset comparatively lower compensation. By contrast, at large enterprises, the executive CISO is more likely to reflect a genuine executive position, with direct involvement in corporate strategy, C-suite and board engagement, and enterprise risk governance.”
Gradual Elevation of the CISO Role in Large Organizations
Over the past three years, the IANS and Artico report found that the share of executive-level CISO roles at large enterprises with over $1 billion in annual revenue has risen sharply—from 33 percent in 2023 to 47 percent in 2025. The increase is even more pronounced among large publicly listed companies where executive-level CISO representations increased by 21 percentage points, from 34 percent in 2023 to 55 percent in 2025.
“Much of the growth in executive-level titles came from the VP CISO segment, where organizations either promoted their VP-level CISO to the executive ranks or replaced them with a newly hired executive-level CISO,” the study found. “This elevation signals a broader shift in how organizations view cybersecurity leadership. Increasingly, the CISO is no longer positioned primarily as a technical expert, but rather as a strategic leader embedded in enterprise governance and business decision-making. In smaller organizations, the share of VP-level CISOs has also declined—typically due to organizations shifting the role downward to director level rather than upward to executive-level positions. In effect, these organizations tend to view cybersecurity as a hands-on operational responsibility more embedded in the tech function rather than a board-level strategic priority.”
“Our data shows the VP-level CISO is becoming less common, as an organization either views security as important enough to merit executive-level titling and compensation at the SVP/EVP level, or it views security as a back-office function with a director-level security program leader,” said Steve Martano, partner, cyber security practice, at Artico Search. “Mid-level CISOs are likely either to get promoted into the executive ranks or top out at as a technical director-level program leader.”
The Evolving Structure of CISO Reporting Lines
Sixty-four percent of CISOs currently report into IT, typically to the CIO or CTO. However, reporting lines are slowly shifting, and dotted line responsibility is often just as or more important than direct line reporting, the IANS and Artico report explained. The study said that CISOs with executive-level titles are significantly more likely to sit outside IT and report to a business leader, such as the CEO, COO, CFO, CRO or general counsel. This is true for 44 percent of executive-level CISOs in large organizations (over $1 billion in revenue) and an even higher 64 percent in smaller organizations—largely, the result of flatter, leaner leadership structures.
“Director-level CISOs, by contrast, are far more likely to report into IT, regardless of company size,” the IANS and Artico report said. “Both models offer distinct advantages. Reporting into IT, CISOs utilize the operational proximity between security and technology, often enabling better alignment across IT and security. Conversely, reporting outside IT can elevate cybersecurity to an enterprise-wide concern rather than a predominantly technical one.”
“Regardless of the direct reporting line, visibility with executives and the peer group of the CISO is critically important,” Mr. Comyns said. “Does the organization view the CISO’s perspective on par with the CFO, head of product or general counsel? Or does the organization view the CISO as a siloed tech executive speaking with a lens only on technology and security?”
IANS And Artico Map The Rise Of The Million-Dollar CISO
The chief information security officer (CISO) has become one of the most dynamic and high-impact roles in the enterprise. As cybersecurity grows more critical to business operations and board-level risk conversations, a new class of CISOs is emerging – highly paid, deeply embedded in strategic leadership, and increasingly sought after. Evan Berta, an associate at Hunt Scanlon Ventures, explores how compensation, scope, and visibility are reshaping the role.
“On a permanent basis, we see CISOs reporting to CEOs of product companies more than in any other sector,” said Mr. Martano. “CISOs in other industries may also report to the CEO for temporary periods such as post-breach environments or in a company that is going through a significant merger of products and technologies.”
CISO Scope Continues to Broaden
The functional scope of the CISO role continues to evolve. IANS and Artico’s survey data over the past five years, supported by ongoing conversations with CISOs, confirms the CISO role is steadily expanding into adjacent domains. In this year’s survey, 53 percent of CISOs reported their responsibilities have grown over the past 12 months. This trend holds true across organizational sizes and industries, varying by no more than 10 percentage points. Information security remains at the core of CISOs’ responsibilities, with more than 80 percent overseeing SecOps, security engineering & architecture, GRC, and application security —and, increasingly, IAM. Over time, many CISOs have seen their portfolios broaden to include business risk functions such as tech risk & compliance, third-party risk management, disaster recovery and product security. Nearly 30 percent also have ownership over parts of the IT stack, including IT compliance, IT operations or networking.
“For security leaders, scope creep is more common than scope divestiture,” Mr. Comyns said. “Five years ago, most CISOs did not own identity programs, while today, 76 percent of CISOs have full responsibilities for IAM programs. Many CISOs who do not own those programs today are requesting direct responsibility for them due to the significant risk associated with AI agents and complex system access requirements.”
With growing scope comes more cross-functional collaboration beyond the evolution of functional scope, the IANS and Artico report noted that the CISO role is also evolving in terms of the relationship it maintains with leaders across the organization. “Such collaboration is required for effectively integrating cybersecurity into business strategy, aligning risk management with organizational priorities and fostering a shared sense of accountability for security outcomes,” the report said.
When asked about the frequency of direct, one-on-one interactions with other senior executives, 91 percent of CISOs reported they engage directly with the CIO or CTO at least monthly, followed by the general counsel or head of legal (54 percent) and the head of products (40 percent) at the same frequency. Engagement with other senior leaders—including the CFO, CEO or COO, and business unit heads—tends to occur quarterly or on an ad hoc basis, the study found. In addition, CISOs are least likely to maintain close relationships with the heads of sales or marketing; nearly one in five reported they do not see the need to engage with these leaders at all. Executive-level CISOs are significantly more likely than director-level CISOs to maintain regular one-on-one interactions with senior leaders. For meetings with the CEO or COO, head of HR or head of sales, executive CISOs are at least twice as likely to engage monthly.
“The depth of a CISO’s cross-functional relationships depends on the priorities and scope of the role,” Mr. Martano said. “In a customer trust-heavy externally facing CISO role, collaboration with the go-to-market teams is often strong. At product companies driving a product security transformation, the relationships among the CISO and the CTO/head of engineering/ head of product are often strong to better embed security into product design.”
The CISO Career Journey
On average, respondents have served in CISO roles for nine years of their career, with 80 percent having held the role for at least four years. More than two-thirds have served as a CISO at multiple companies, gaining experience across different organizational settings; of them, 81 percent have worked as a CISO in two or more industries (62 percent of all CISOs). As in prior years, more than two-thirds of CISOs are open to making a career move within the next 12 months.
IANS and Artico found that across these industries, several patterns stand out: Cross-sector mobility CISOs in tech and financial services move fluidly between the two sectors—more than 25 percent of tech CISOs have prior experience in financial services, and vice versa. Sector expertise manufacturing CISOs are less likely to have prior CISO experience within their own industry. About 50 percent served as CISO in financial services and/or healthcare, and 19 percent have CISO experience in tech. Career ambitions Financial services CISOs most often aim for a larger firm within their current industry, while CISOs in manufacturing more commonly target CISO roles in different industries. Popular post-CISO career options include CTO/CIO roles and public company board positions with far less interest in CRO, chief trust officer or chief digital officer positions.
“Most CISOs spend time in different sectors, which affords them the opportunity to see companies and industries with different risk postures work through diverse regulatory requirements, and to continue to grow as a practitioner,” said Mr. Martano. “In a role that many view as having limited upward career potential beyond CISO, practitioners are finding ways to stay engaged and challenged in new sectors where they can learn and bring a unique perspective to security programming.”
“The demand for experienced CISOs remains strong as the role continues to become more complex and more ‘executive,’” Mr. Martano stated. “Understanding how organizations define scope, reporting structure, and leadership access and visibility is critical for CISOs planning their next move and for companies looking to hire or retain security leaders.”
Download the 2026 State of the CISO Snapshot Report!
Contributed by Scott A. Scanlon, Editor-in-Chief and Dale M. Zupsansky, Executive Editor – Hunt Scanlon Media
