Sponsored
Cybersecurity

IANS: Executive-level CISOs keep rising

The CISO is increasingly seen as a strategic leader rather than just a tech expert, according to the new study.
ByBilly Hurley

5 min read

Billy Hurley has been a reporter with IT Brew since 2022. He writes stories about cybersecurity threats, AI developments, and IT strategies.

Your machine data knows things: Unlock it with Splunk and get game-changing insights—plus a critical resource to power AI. Tapping into machine data can boost your security and reliability. See more.

There are certain types of chief information security officers (CISOs)—three specifically, according to research group IANS—and only some get invited to the executive dining room: Executive-level CISOs, who engage with the board and support corporate strategy, director-level CISOs, who maintain operations and protect data, and VPs, who do a little bit of both.

But a new IANS and Artico Search report reveals a gradual vanishing of the VP-level security officer, leading to more executive-level positions and a greater division between exec CISOs and their director-level counterparts.

According to the report, which polled over 660 CISOs in the US and Canada in 2025:

  • Just under half (46%) of CISOs have executive titles; VPs and directors each represented 27% of respondents
  • Executive-level CISO roles at large enterprises rose from one-third in 2023 to 47% in 2025
  • Executive-level titles grew, thanks in part to VP-level promotions or replacements

The cybersecurity leader’s responsibility in protecting business outcomes has grown along with the tech stack.

“It’s gone from an isolated, ‘Here's our technology stack; secure that,’ to, ‘Technology is built into every business process,” Nick Kakolowski, senior director of CISO research for IANS, told IT Brew. “You now have to be participating in helping the business secure every business process.”

Kakolowski spoke with us about the rise of the exec-level CISO—and what makes a good one.

This conversation has been edited for length and clarity.

Does your research reveal an emergence of the executive-level CISO?

I don’t know if I call it an emergence so much as a normalization. We’ve seen the emergence happening gradually over the past five years. This is the year where it’s become a tipping point, where pretty much a majority of orgs are putting executive-level CISOs in place, and where we would say it is normal in a larger business to have an executive-level CISO.

Do you expect that number to rise?

I think we’ll see a continued, gradual rise. But what’s really interesting in this year’s data is the bifurcation. There is a cohort of businesses that are recognizing the importance of cyber risk to the broader business landscape, and elevating the CISO into an executive role to position that leader to handle risk management at enterprise scale.

And then there is a division of businesses that either haven’t recognized or simply don’t experience cyber risk in the same way. Maybe they are less technology-enabled. Maybe technology is more commoditized and the data isn’t as valuable to them as a business, and therefore they need their cybersecurity leader to be that more functional director who is owning a segment of IT and keeping the business safe at that more technical level. We will see businesses grow out of that group into the group that needs a larger enterprise executive-level CISO…but there will likely, for the foreseeable future, continue to be some space in the industry for those director-level CISOs as well.

What’s a common problem that an executive-level CISO can help solve?

We have seen—two, three, four years ago—when we talked to CISOs [they might have said], “Oh, I was told there’s going to be an acquisition. We did our due diligence, and I’ve been handed this new process and this new division of an organization that I need to integrate into our business.”

And that’s how it would typically be treated in a director-level role. You’re not involved in the business decision-making. You’re not involved in buying down that risk at the outset. You’re involved in dealing with the aftermath of that risk and managing it.

What we are seeing with the executive-level CISO is businesses are saying this cyber risk has real implications for this merger and acquisition. It might affect the price of our acquisition. It might affect the roadmap. It might affect how we handle hiring. We want to bring the CISO in earlier in the process, so that they can analyze the risk, inform our decision-making, and develop a process that streamlines and accelerates the acquisition. And that executive-level CISO is sitting in the room with the executives as a decision is being made.

What advice would you have for aspiring executive-level CISOs?

It’s all about broadening the skill set. It starts with mastering cyber and running an excellent team…What we’ve seen from those really elite, problem-solving CISOs in large, sophisticated orgs, who are being treated as executives, is they’ve come in and, in their first year or two, they’ve built a strong cybersecurity team, and then they’ve said, “Okay, that team is running well. I’m going to delegate most of those operations, and I am going to lean in on understanding what’s going on under the hood in our revenue models, where the business is expanding, and how I can go about smoothing the process for us to develop revenue plans.”

Top insights for IT pros

From cybersecurity and big data to cloud computing, IT Brew covers the latest trends shaping business tech in our 4x weekly newsletter, virtual events with industry experts, and digital guides.