Report: CISOs Increasingly Positioned as Executive Leaders

Cybersecurity leadership roles are undergoing a structural shift, with executive-level titles now representing the most common way organizations position their top security leaders, according to new research from IANS and Artico Search.

The 2026 “State of the CISO Benchmark Report,” released Jan. 15, finds that titles such as senior vice president, executive vice president, and chief information security officer now make up the plurality of CISO role classifications across company sizes. 

CISO role expands beyond IT and into the business

As cyber risk becomes more tightly linked to business operations, regulatory exposure, and corporate reputation, CISOs are gaining greater visibility with senior leadership teams and boards. 

That visibility, however, is accompanied by expanded accountability and cross-functional responsibility.

“The CISO role has clearly reached an inflection point,” Nick Kakolowski, senior director of CISO research at IANS, said in a statement. “Executive-level titles are becoming more common, but many CISOs are still operating within legacy structures that haven’t kept pace with the scope and expectations now placed on the role.”

The report notes that while a majority of CISOs still report through IT leadership, a growing share now report directly to business executives, including the CEO, COO, general counsel, or chief risk officer. 

Executive-level CISOs are significantly more likely to sit outside traditional IT reporting lines than their VP- or director-level peers.

Large enterprises drive growth in executive-level CISO titles

The shift toward executive titles is most pronounced among large organizations and publicly traded companies. 

In large enterprises, executive-level CISO representation increased from 33 percent in 2023 to 47 percent in 2025, according to the study. Public companies posted even sharper gains, reflecting increased regulatory scrutiny and board-level focus on cybersecurity oversight.

Researchers say the data suggests organizations are formalizing the CISO’s role in governance and risk management, even as reporting structures continue to vary widely by industry and company maturity.

Scope expansion outpaces staffing and budgets

Despite elevated titles and broader influence, many CISOs report that their responsibilities are growing faster than their resources.

More than half of respondents said their current scope is no longer fully manageable, particularly in smaller organizations and industries with lean security teams.

These imbalances, the report warns, can delay strategic security initiatives and push teams into reactive operating modes, increasing long-term risk exposure. 

CISOs cited expanding regulatory requirements, cloud complexity, and third-party risk as major contributors to scope creep.

CISO career mobility remains high

The report also highlights continued mobility within the CISO ranks. Respondents reported an average tenure of nine years, often spanning multiple organizations and industries. 

Nearly seven in 10 CISOs said they are open to making a career move within the next year, whether to a larger company, a different vertical, or an adjacent executive role.

“The demand for experienced CISOs remains strong as the role continues to become more complex and more ‘executive,’” said Steve Martano, IANS faculty member and partner at Artico Search’s cyber practice. “Understanding how organizations define scope, reporting structure, and leadership access is critical for both candidates and employers.”

For channel partners, this research is yet another reminder of the importance they hold as strategic advisors and cybersecurity experts to their clients. When internal teams struggle to keep up, the channel feels more important than ever.

Methodology

The 2026 State of the CISO Benchmark Report is based on the sixth annual IANS and Artico Search CISO compensation and budget study, with data collected between April and November 2025 from 662 CISOs across industries and organization sizes.