The role of chief information security officer (CISO) is now more likely to be regarded as an executive-level position than VP or director, signifying its growing importance to the business, according to IANS.
The research and advisory firm put together its 2026 State of the CISO Report based on interviews with 662 North American CISOs.
It revealed that 46% of respondents now hold executive titles (e.g., EVP, SVP), while 27% are VPs and 27% are directors. This indicates a “structural shift” in the security leadership landscape, IANS claimed.
“CISOs are increasingly expected to serve not just as technical leaders, but as enterprise-wide strategists,” the report noted.
“Their rise to the executive ranks brings greater influence but also greater demands, including wider accountability, more cross-functional engagement, and intensified expectations and oversight from senior leadership and boards.”
Read more on CISO roles: CISOs Dramatically Increase Boardroom Influence but Still Lack Soft Skills
The challenge for CISOs interviewed for the report is meeting these greater demands with limited resources.
Over half (53%) of respondents said their role had expanded over the past year. Most now have responsibility for SecOps, security architecture and engineering, GRC, app security, IAM, compliance, supplier risk management, BC/DR and product security.
However, more than half (52%) of CISOs polled by IANS said that their scope is no longer fully manageable, especially in smaller organizations. They warned that this imbalance could delay strategic initiatives and increase the likelihood of reactive security.
“The CISO role has clearly reached an inflection point,” said Nick Kakolowski, senior director, CISO Research at IANS.
“Executive-level titles are becoming more common, but many CISOs are still operating within legacy structures that haven’t kept pace with the scope and expectations now placed on the role.”
Security Splits in Two
Despite executive-level recognition, most (64%) CISOs still report into IT – typically the CTO or CIO – with just 36% reporting to the business.
However, this is changing, and those with executive positions are more likely to report into the CEO/CFO/COO/CRO or general counsel. Some 44% do in the largest firms ($1bn+ revenue) while an even bigger share (64%) do in smaller organizations (under $1bn revenue).
IANS argued that security is effectively splitting into two models:
- Large companies – especially publicly listed ones – increasingly treat security as a core enterprise risk function, led by an executive-level CISO who often reports to a business or risk executive
- Small and midsize organizations more typically embed security as an IT subdivision, overseen by a director-level CISO who reports to the CIO or CTO. Or a CISO with an executive title in name only
