Since its creation by Citibank in 1994, the role of the Chief Information Security Officer has become a fixture in the corporate world. As of 2024, nearly 75% of Fortune 500 companies have a CISO. Regulators, from the SEC to New York’s Department of Financial Services, have passed rules that elevate the role’s importance, demanding board-level reporting and accountability. You have the title, the responsibility, and, increasingly, the liability.
So why does it still feel like a struggle to gain legitimacy?
A comprehensive 2025 literature review published in Computers & Security synthesizes decades of academic and practitioner research to answer that question. It dives deep into the state of the CISO role, revealing the persistent challenges, structural debates, and unanswered questions that define the profession today. The findings confirm what many CISOs feel intuitively: your job is about navigating organizational paradoxes as much as it is about managing risk.
The Reporting Line Dilemma: A Perennial Debate with No Easy Answer
One of the most prominent themes from the research is the ongoing debate about where the CISO should report. This isn’t just a line on an org chart; it’s a structural decision that defines your authority, budget, and potential for conflicts of interest.
Reporting to the CIO: The Traditional Path
Historically, the CISO has reported to the CIO. This structure offers the advantage of technical alignment and easier collaboration. However, the review highlights a critical conflict of interest: a CISO may be pressured to overlook vulnerabilities tied to the CIO’s own initiatives. This has led to a steady decline in this reporting structure.
Reporting Outside of IT: A Shift Toward Independence
There is a growing trend of CISOs reporting to other executives like the Chief Risk Officer (CRO) or even the CEO. The research suggests this independence leads to a stronger focus on enterprise-level risk, not just technical issues. One study found that 62% of CISOs now report to a role other than the CIO.
The Real Answer: Relationships Over Hierarchy
Ultimately, the literature review concludes that the quality of relationships is often more important than the formal reporting line. Drawing on social capital theory, the research emphasizes that a CISO’s influence comes from building trust and social alignment with business executives and the board, no matter where their role sits on the organizational chart. This way, your ability to thrive depends on a refined CISO leadership strategy that aligns security with business outcomes.
The CISO Skillset Paradox: Why Technical Expertise Can Be a Double-Edged Sword
What does it take to succeed as a CISO? The review confirms that while deep technical knowledge is essential, it can paradoxically hinder a CISO’s effectiveness if not balanced with business acumen.
The research points to a critical finding: a CISO’s heavy technical expertise can negatively impact the creation of integrated knowledge between business and security leaders. Many CISOs, coming from technical backgrounds, are found to lack the business and leadership acumen needed to articulate solutions to senior management. The modern CISO must be a translator, converting complex security risks into terms that resonate with business objectives.
The Three Great Unanswered Questions Facing Every CISO
The review goes beyond summarizing what we know and proposes a research agenda to tackle the biggest challenges facing the profession. These are the core issues that define the CISO’s struggle today.
- The Quest for Legitimacy: While the CISO has a “chief” title, they are often seen as second-tier executives. How can CISOs build the credibility and power needed to be seen as true C-suite peers?
- The “CISO as Scapegoat” Problem: With no clear consensus on accountability, there are widespread concerns about CISOs being unfairly blamed for incidents. How can the industry define a fair model of accountability?
- The CISO Turnover Crisis: With an average tenure of just 26 months, CISO turnover is a massive threat to organizational stability and knowledge retention. What are the root causes, and how can they be addressed?
A Role in Constant Evolution
The review concludes that the “only constant for today’s CISOs is change.” The role has evolved from a tactical defender to a strategic risk manager, a steward of digital trust, and a key advisor to the board. Understanding these evolving dynamics is the first step for any CISO looking to not just survive, but thrive in one of the most demanding and critical roles in modern business.
For Further Reading
This blog post is based on the insights and analysis presented in the academic paper: Sahin, Z., & Vance, A. (2025). What do we need to know about the Chief Information Security Officer? A literature review and research agenda. Computers & Security, 148, 104063. https://doi.org/10.1016/j.cose.2024.104063
