Insights & Intelligence

The Unresolved Reporting Line is Costing Billions

Why clear boundaries beat reporting lines: Solving the CIO-CISO conflict with an Integrated Operating Model.

Executive Summary

For twenty years, our industry has argued whether the CISO should report to the CEO or the CIO. It is the wrong question. The real problem is a lack of clear delineation between where the CISO’s responsibilities end and the CIO’s begin. Without this, we drift into expensive dysfunctions. The solution isn’t a new org chart—it is an Integrated Operating Model.

To whom the CISO should report is the oldest unresolved enigma in cybersecurity. The consequences are failed transformations, ineffective “watermelon” cyber programs, and unmeasurable financial losses driven by friction and IT inertia.

Many advocate reporting to the CEO, CFO, or CRO. You gain independence, but you lose proximity to security controls—more than 80% of which live in IT infrastructure. The CISO becomes a risk reporter who can articulate threats but loses influence over the machinery that prevents them.

Report to the CIO/CTO? You gain access to controls but inherit a fundamental conflict of interest. The CIO is measured on uptime and velocity; the CISO on risk reduction. When priorities clash, security usually loses.

“We have been looking at it wrong. The industry has been treating it as a reporting line issue. It’s not. The real problem is the lack of a clear delineation.”

The Cost of Ambiguity

Without clear boundaries between CIO and CISO responsibilities, two dysfunctional dynamics consistently emerge:

1. The “Watermelon” CISO

The Setup: A non-technical CISO owns policy; CIO owns operations.

The Result: Green dashboards on the outside, Red infrastructure on the inside. A false sense of security that crumbles under attack.

2. The “Shadow Engineer”

The Setup: A technical CISO builds a parallel IT organization to “ensure it gets done right.”

The Result: Friction, duplicated costs (firewalls, identity platforms), and broken accountability.

The Solution: An Integrated Operating Model

The solution isn’t choosing a better reporting line. It’s defining an Operating Model where responsibilities are clearly separated yet intertwined. When these delineation lines are defined, the turf wars end.

Integrated
CISO Owned
IT Owned
Joint

Strategy & Design (EA)

The Integration Engine: Lead Architect + Embedded Security Architect

Governance (CISO)

Risk Appetite, Policy & Assurance

Prevention (IT Ops)

Owns: Firewalls, Identity, Patching

Risk (CRO/ERM)

Translates Cyber Risk ↔ Business Risk

Detection (SecOps)

Threat Hunting, Red Teaming

Unified Incident Command

Joint Authority: SecOps (Identify) + IT Ops (Contain & Remediate)

Figure 1: The Integrated Operating Model – Delineating Responsibilities

How Responsibilities Are Delineated

  • Strategy & Design (Integrated): The CISO defines security requirements, but Enterprise Security Architects embed within the EA function to translate them into design constraints. Security becomes an aspect of every design decision, not a separate compliance gate.
  • Prevention & Build (IT Owned): IT owns the machinery (firewalls, identity platforms, patching). The CISO provides the standards and validates configurations. IT executes; Security assures.
  • Governance & Assurance (CISO Owned): The CISO defines risk appetite and policies. They assure alignment but do not operate infrastructure.
  • Detection & Response (CISO Owned): Freed from IT operations, the CISO focuses on pure security functions: Red teaming, threat hunting, and intelligence.

The Critical Prerequisite: Mature Integrating Functions

This operating model depends on maturity at three critical integration points. Without these capabilities, delineation without integration simply creates new silos.

  • Mature Enterprise Architecture: To integrate security requirements into IT design before build begins.
  • Mature Enterprise Risk Management: To integrate cyber GRC into business risk reporting so the board can compare cyber risk to financial risk.
  • Mature Incident Management: To integrate Security Ops and IT Ops during a crisis through unified, tested playbooks.

The Cost of EA Maturity vs. The Cost of Inertia

A common objection from CFOs is that “Mature EA” sounds expensive. However, mature EA is a Cost Avoidance Mechanism. Immaturity imposes hidden taxes that cost far more:

The Duplication Tax

Buying the same security capability (e.g., DLP, Identity) three times because no architectural standard exists.

The Friction Tax

The massive cost of retrofitting security controls late in the development cycle (10x-100x more expensive).

The Inertia Tax

Revenue lost when product launches are delayed by territorial battles over security controls.

The Path Forward: Making It Work

If these capabilities are new or immature, strong cross-functional collaboration is required to co-develop them. The best CISOs don’t just complain about immaturity—they champion it.

Action Plan for the CISO:

  • No Mature EA? Maintain control of Security Architecture and focus on building influence through stakeholder relationships.
  • No Mature ERM? Maintain direct board reporting for cyber risk while working to establish common risk language with the CFO.
  • No Incident Mgmt? Prioritize joint simulation exercises to build trust between IT and Security teams before a crisis hits.

The Bottom Line

We’ve been asking the wrong question. The right question is: Have you clearly delineated where the CISO’s responsibilities end and where other functions’ responsibilities begin?

The best CISOs don’t build empires—they build operating models.

Struggling with the CIO-CISO Friction?

In some organisations, historical compromises make these boundaries difficult to resolve internally. An independent review can help you surface blind spots and reset the conversation.

Request a Confidential Review

No obligation. Just a strategic conversation.