Executive-level CISO titles surge amid rising scope strain
IANS and Artico Search have published their 2026 State of the CISO Benchmark Report, which finds that executive-level CISO titles now make up the largest share of information security leadership roles.
The report draws on responses from 662 CISOs across various industries and organisation sizes. It points to changes in how companies level the CISO role and where it sits within reporting structures.
In large enterprises, executive-level representation rose from 33% in 2023 to 47% in 2025. The report notes that large publicly traded companies recorded sharper gains.
IANS and Artico Search said titles such as SVP, EVP, or Chief Information Security Officer now represent a plurality of infosec leadership levelling. The report also describes broader expectations on CISOs as cybersecurity becomes a board-level issue in many organisations.
"The CISO role has clearly reached an inflection point," said Nick Kakolowski, Senior Director, CISO Research, IANS. "Executive-level titles are becoming more common, but many CISOs are still operating within legacy structures that haven't kept pace with the scope and expectations now placed on the role."
Reporting lines
The report says reporting structures still place most CISOs under IT leadership, although a sizeable minority now report outside IT. It found 64% of CISOs report into IT leadership, while 36% report to business leaders such as the CEO, COO, General Counsel, or Chief Risk Officer.
Executive-level CISOs were more likely to report outside IT than peers with VP or director titles, according to the findings. The report frames this as part of a broader shift in how organisations place accountability for cyber risk and oversight.
The findings arrive as boards and senior executives assess cyber exposure alongside other enterprise risks. The report links these expectations to the need for security leaders to engage across legal, risk, operations and other functions.
Scope pressures
The report also highlights what it describes as a gap between expanding responsibility and available resources. More than half of respondents, 52%, said their scope is no longer fully manageable.
Smaller organisations and industries with leaner security teams showed the highest levels of strain, the report says. It adds that CISOs warn these imbalances can delay strategic initiatives and push teams towards reactive security operations.
The report positions this issue as a management challenge as well as a governance question. It links scope creep with wider accountability and higher expectations on security leaders, even where budgets and staffing remain constrained.
Career mobility
On career paths, the report says CISOs now show high mobility across organisations and industries. It found respondents report an average tenure of nine years, with many having served as CISO at multiple organisations and in multiple sectors.
It also found that nearly seven in ten CISOs are open to making a career move within the next year. The report says these moves can include a shift to a larger organisation, a different industry, or an adjacent executive leadership role.
Recruiters and employers have watched turnover trends closely as demand for senior security leadership has remained high across many sectors. The report suggests that title, scope and reporting structure form part of how CISOs evaluate roles.
Steve Martano, IANS Faculty and Partner at Artico Search's Cyber Practise, said the market continues to look for experienced leaders who can operate at an executive level.
"The demand for experienced CISOs remains strong as the role continues to become more complex and more 'executive'," said Martano. "Understanding how organizations define scope, reporting structure, and leadership access and visibility is critical for CISOs planning their next move and for companies looking to hire or retain security leaders."
The study is based on the sixth annual IANS and Artico Search CISO Compensation and Budget Research Study, with data collected between April and November 2025.