CISOs are continuing to see their positions within organizations rise. With increasing cybersecurity complexities and cyber threats, CISOs are now expected to not only play their long-held traditional technical roles, but also be digital risk strategists for their companies.
The shift has reached the point where more CISOs hold executive-level titles than those at the vice president or director levels, a first-time development outlined in a report released this week by cybersecurity consultancy
IANS Research and
Artico Search, an executive recruitment firm.
According to the
2026 State of the CISO Benchmark Report, in 2025, 47% of CISOs in larger enterprises carried executive-level titles, a 14-point jump from 33% in 2023. The growth is even greater in publicly traded companies, where there was a 21-point swing. In midsize and small organizations – those with less than $1 billion in revenue – the shift to executive-level titles was steadier, with a third of CISOs still holding director-level titles.
However, the researchers revealed that the expanded titles and duties come with greater responsibilities and expectations.
“The cybersecurity function continues to rise in prominence, expand in scope and gain visibility,” the report’s authors wrote. “Consequently, CISOs are increasingly expected to serve not just as technical leaders, but as enterprise-wide strategists. Their rise to the executive ranks brings greater influence but also greater demands, including wider accountability, more cross-functional engagement, and intensified expectations and oversight from senior leadership and boards.”
Rising Stature
CISO's role has come under greater scrutiny in recent years as the attack surface of organizations has broadened, thanks to trends such as increased cloud adoption, the distributed nature of IT and workforces, expanding nation-state threats, sophisticated attacks, and the explosive rise of generative AI and agentic AI over the past three-plus years.
These have resulted in greater prominence, demand, and benefits for CISO's role. IBM and others have also noted the evolving nature of the job, with Big Blue
writing that “the role has moved from primarily being a technical role to more of a business leader. Instead of implementing cybersecurity, CISOs now focus on helping the organization’s leaders understand the importance of cybersecurity and lead the strategic thought for the organization’s cyber strategy. CISOs bridge the gap between the technical language that comes easily to the IT department and the business language of senior leadership.”
The IT giant also noted the position’s new place within organizational structures, with 47% of CISOs directly reporting to their CEOs.
In another
report published in November 2025, IANS and Artico Search revealed that pay packages for CISOs in the United States and Canada increased an average of 6.7% over the previous 12 months, with the total yearly compensation for the top 1% of CISOs starting at $3.2 million.
Who Do They Report To?
The latest survey from IANS and Artico Search sheds more light on the changing nature and status of the job. Along with the growth in executive-level titles, the survey of 662 CISOs found what the report’s authors said is a “bifurcation of security into a strategic risk function vs. an IT subdivision.”
Keeping up with the trend seen through the last few years, most CISOs (64%) report to IT executives, such as the CIO or CTO, while 36% report to non-IT executives, including the CEO, chief operating officer, general counsel, or chief risk officers. Executive-level CISOs are more likely to report to the non-IT leaders.
The leveling of the CISO position and the trends in who they report to reveal a “bifurcation of security into a strategic risk function vs. an IT subdivision,” the authors wrote. Some organizations are elevating security in a core business risk function that is helmed by an executive-level CISO who is more strongly aligned with the business side.
On the other side, security is viewed as a subdivision of IT, with primarily director-level CISOs who more often report to IT executives.
Growing Roles Outpacing Resources
Additionally, 52% of CISOs surveyed stated that the continued expansion of their roles through new functions and enterprise-wide responsibilities is outpacing the resources they have to work with, which makes it harder for them to manage the scope of work. This is particularly true of CISOs in smaller organizations and those in a range of industries, such as education, manufacturing, and retail, all of which tend to have smaller security teams. Their counterparts at large organizations in sectors such as financial services and insurance aren’t feeling the same amount of pressure because they have more resources and more mature security functions.
For organizations with leaner teams, the problems will be felt.
“CISOs warn scope-resource imbalances may have far-reaching consequences, including delays in strategic priorities, erosion of long-term resilience, and reactive security operations with diminishing quality,” the authors wrote.
A Mobile Career
The career paths of CISOs also reflect a growing demand for their skills and greater mobility. The average tenure at a company is nine years, with 70% having served in the same role at multiple companies and 62% filling the CISO position in more than one industry. Not including first-timers, 40% of CISOs have experience only within financial services companies, and 28% have held positions in tech. In addition, 19% have been CISOs in healthcare, and 13% in government.
“This cross-sector mobility reflects both the demand for seasoned cybersecurity leaders and the transferability of CISO expertise across different business contexts,” the authors wrote.
Almost 70% of CISOs are amenable to making a career move in the next year, with many looking for similar roles at a larger company or within a different industry. Some are also interested in non-CISO roles, such as CTO, CIO, board member, or a second-in-command security job at a larger company.
