Here's a question most CEOs have never asked themselves: Who does your CISO report to?
If the answer is "the CTO" — which it is at most mid-market tech companies — you've architected a conflict of interest into the heart of your security posture. And when the breach comes (not if, when), that reporting structure will be the reason you weren't ready.
Let me explain why.
The Structural Conflict
Your CTO's job is to ship product. Move fast. Deliver features. Hit roadmap milestones. Keep engineering velocity high. Enable the business to grow.
Your CISO's job is to slow things down. Question assumptions. Add friction. Enforce constraints. Say "not yet" when everyone else is saying "ship it."
These aren't complementary roles. They're opposing forces. And when you put one under the other, you've decided which one wins.
I've run a cybersecurity company for 20 years. I've seen this dynamic play out hundreds of times across our customer base. The CTO wants to launch a new feature by Friday. The CISO flags a privilege escalation risk. The CTO says "we'll patch it next sprint." The CISO escalates to... the CTO.
Who do you think wins that conversation?
It's Not About Trust
Before anyone gets defensive — this isn't about whether your CTO is trustworthy or whether they care about security. Of course they do. Most CTOs I know take security seriously. That's not the point.
The point is incentive alignment.
When your CISO reports to your CTO, their performance review is written by the person whose priorities they're supposed to challenge. Their budget is approved by the person whose timelines they're supposed to slow down. Their credibility inside the organization is mediated by the person whose technical decisions they're supposed to audit.
That's not a reporting relationship. That's a subordination relationship. And subordination kills independent thinking.
I've watched companies ship products with known vulnerabilities because the CISO didn't have the organizational leverage to stop it. I've watched security budgets get cut because the CTO needed those headcount slots for feature teams. I've watched post-breach retrospectives where everyone asks "why didn't security flag this?" — and the answer is "they did, but they reported to engineering, so engineering overruled them."
And then the board asks the CEO: "How did this happen?"
The answer is: you designed it to happen. Organizationally.
Security Is a Business Risk, Not a Technical Risk
Here's the mental model shift that changes everything:
Security is not an engineering subdomain. It's a business risk function — like legal, finance, or compliance.
When your general counsel identifies a contract risk, they don't report to the Head of Sales. When your CFO spots a financial control gap, they don't report to the VP of Operations. Because the job of those roles is to represent an independent perspective that might conflict with operational priorities.
Security is the same. The CISO is not there to help engineering build secure systems (though they should do that too). They're there to independently assess and communicate enterprise risk to the CEO and the board.
That assessment has to be independent. If it's filtered through the CTO, it's not independent. It's an internal engineering opinion.
What Boards Actually Care About
I've sat in a lot of board meetings. Here's what boards ask about after a breach:
- "Did we know about this risk?"
- "If we knew, why didn't we fix it?"
- "If we didn't know, why not?"
- "Who was responsible for knowing?"
And the uncomfortable answer, more often than not, is: "Security flagged it, but it was deprioritized for product velocity."
Now here's the next question the board asks:
"Who made that decision?"
If your CISO reports to your CTO, the answer is ambiguous. Was it a technical decision? A product decision? A resourcing decision? Who actually had authority?
But if your CISO reports to you — the CEO — the answer is clear. Security raised the risk. You (or the CTO, with your oversight) made the call to accept it. Everyone knows who owns the tradeoff. The org chart reflects the accountability structure.
That clarity matters. Not just post-breach, but pre-breach, when you're making the decisions that determine whether the breach happens in the first place.
The Reporting Structure That Works
Here's what the org chart should look like:
CEO
├─ CFO
├─ General Counsel
├─ CTO
└─ CISO
The CISO is a peer to the CTO, not a subordinate. They have independent budget authority. They have direct access to you and the board. When there's a conflict between security and product velocity, you mediate it — not the CTO.
This doesn't mean security always wins. Sometimes the right call is to ship with known risk because the business opportunity justifies it. But it does mean the decision is explicit, documented, and owned at the right level.
When your CISO says "we shouldn't ship this yet," and your CTO says "we need to ship this now," you're the one who weighs the tradeoff. You ask the hard questions:
- What's the actual risk?
- What's the business cost of delay?
- What's the reputational cost if this goes wrong?
- Can we mitigate enough to ship safely?
- If we accept the risk, what's the contingency plan?
And then you make the call. Not as a technical decision, but as a business decision.
That's what CEOs are for.
The Talent Argument
Here's another benefit nobody talks about: CISO-level talent won't take the role if it reports to the CTO.
The best security leaders I know — the ones who've been through breaches, know how boards think, understand risk at an enterprise level — they won't take a CISO role that reports to engineering. Because they've learned the hard way that when security is subordinated to product, security loses. And they don't want to be the person holding the bag when the breach happens.
If you want a CISO who can actually do the job — someone with the experience, judgment, and credibility to tell you what you need to hear instead of what you want to hear — you need to give them the organizational position to do it.
That means a seat at the table. A direct line to you. And the authority to stop the train when the train needs to be stopped.
What About Smaller Companies?
Fair question. Not every company is big enough to justify a full-time CISO. If you're 30 people and your CTO is also doing security, that's fine. That's not the scenario I'm talking about.
I'm talking about companies that have already decided security matters enough to hire a CISO — and then undermined that decision by putting them under the CTO.
If you're big enough to hire a CISO, you're big enough to give them a real seat at the table. Otherwise, you're paying for the title without buying the function. And when the breach comes, the title won't protect you.
The Change Is Easier Than You Think
I know what you're thinking: "This sounds like a political nightmare. My CTO will see this as a vote of no confidence. My CISO might not even want the exposure of reporting directly to me. Our board might not understand why we're restructuring."
Here's how you position it:
"We're aligning our org structure with our board-level risk priorities. Security is an enterprise risk, not a technical subdomain, and we're elevating it accordingly. This doesn't change the CTO's technical authority — it clarifies accountability and ensures security gets the independent voice it needs."
That's not a demotion for the CTO. It's a recognition that security and engineering have different objectives, and those objectives are both critical.
And if your CISO doesn't want the responsibility of reporting to the CEO? That's useful information. It might mean you hired a senior security engineer, not a CISO. The title is the same; the job is different.
What This Looks Like in Practice
Let me give you a real example from a customer (details anonymized).
Mid-sized SaaS company. 400 employees. CISO reported to the CTO. Product roadmap called for launching a new enterprise tier with custom integrations. Security audit flagged that the integration layer didn't properly isolate tenant data. The fix would take six weeks. The launch was scheduled for two weeks.
The CTO made the call: ship it, fix it in the next release. The CISO documented the risk and moved on. They launched. Three months later, a customer found a way to query another tenant's data through the integration API. Small breach, no exfiltration, caught early. But enough to trigger disclosure requirements, customer notifications, and a very uncomfortable board meeting.
The board asked: "Why did we ship with a known isolation flaw?"
The CTO said: "We assessed the risk and decided the business priority justified it."
The board said: "Did the CEO know?"
The CEO said: "I knew we were launching the enterprise tier. I didn't know there was a specific security risk we were accepting."
And that's the problem. The CTO made a risk decision that should have been a CEO decision. Because when you ship with known vulnerabilities, you're not making a technical decision — you're making a business risk decision. And business risk decisions belong to the CEO, not the CTO.
Six months later, that company restructured. The CISO now reports to the CEO. The next time there's a security-versus-velocity tradeoff, the CEO is in the room. The decision still might be "ship it" — but it's an informed decision, with clear ownership, and a documented risk acceptance.
That company hasn't had a breach since. Not because their security suddenly got perfect. But because the decision-making structure now matches the risk structure.
The Board Conversation You Should Have
If you're not sure whether this applies to your company, here's a simple test:
Ask your board: "If we had a material security incident tomorrow, who would you expect to brief you on what happened and why?"
If the answer is "the CISO," but your CISO reports to the CTO, you have a structural misalignment. The person the board expects to own security doesn't have the organizational authority to actually own it.
Fix that now. Before the breach. Because after the breach, the only question that matters is: "Why didn't we fix this when we had the chance?"
The Real Reason This Matters
I've spent two decades in cybersecurity. I've seen companies survive breaches and companies that didn't. The difference is never "how good was their firewall" or "how fast did they patch." The difference is always organizational.
Did security have a voice at the decision-making table? Did the CEO know the risks they were accepting? Was there a process for escalating conflicts between security and product? Did the board understand the threat model?
Companies that survive breaches are companies where security is structurally empowered to do its job. Not because the CISO is paranoid or because the CEO is risk-averse. But because the org chart reflects the reality that security is a business function, not an engineering function.
And the simplest way to make that structural empowerment real is to have your CISO report to you.
Not because you don't trust your CTO. But because when there's a conflict between velocity and safety, you want to be the one making the call. Because that's the call that determines whether your company is still here in five years.
The Action Item
Here's what you should do this week:
1. Map your current security reporting structure. Who does your CISO (or Head of Security, or whoever owns security) report to? If the answer is the CTO, ask yourself: is that the right structure for the risks we're taking?
2. Have the conversation with your board. "We're evaluating our security governance model. I want to make sure our org structure matches the board's expectations for security accountability." Gauge the reaction. You'll learn a lot.
3. Talk to your CISO and CTO. Don't surprise anyone. Explain the reasoning. Make it clear this isn't about trust — it's about aligning authority with accountability. Get their input. They might have perspectives you haven't considered.
4. Decide. If you conclude that security should report to you, make the change. If you conclude it shouldn't, document why. Either way, you'll have thought through the question instead of inheriting an org chart by default.
Because the worst possible outcome is not having thought about it at all — and then having to explain to your board, post-breach, why you didn't.
Follow the journey
Subscribe to Lynk for daily insights on AI strategy, cybersecurity, and building in the age of AI.
Subscribe →