C-level executives have titles that begin with \u201cchief.\u201d But that doesn\u2019t mean they all sit in the C-suite, which is reserved for CEOs and a select few others.\u00a0Chief financial officers (CFOs) and chief operating officers (COOs) are the most common executives in the C-suite. They report to the CEO, attend board meetings, and fly 30,000 feet over their organizations for the big picture.\u00a0Most CIOs, on the other hand, report to CFOs and COOs; they don\u2019t sit in the C-suite. There are other next-generation chief titles that also haven\u2019t crashed the boardroom yet.\u00a0Chief information security officers (CISOs) are a unique C-level breed. Historically, they\u2019ve been two-steps removed from CEOs, reporting to CIOs. But the times are a changin\u2019 for CISOs, and they are starting to receive C-suite invitations.\u00a0If it\u2019s true that cybercrime is the biggest threat to every company in the world, then it explains why CEOs are calling on their CISOs to discuss cyber threats and risks with the board.\u00a0One industry expert explains that there\u2019s a reordering of org charts as it relates to CISOs.\u00a0\u201cHistorically, CISOs reported into IT,\u201d says Joseph Steinberg, an Inc. Magazine columnist covering cybersecurity. \u201cOver time, however, as information security became a higher profile risk and its management a more visible function, many organizations transitioned the CISO to report into either the CEO or COO, with a dotted line into IT. While exact reporting structure obviously varies from organization to organization, the general trend of elevating the role of the CISO is likely to continue.\u201d\u00a0What IT executives are saying about CISOs in the C-suite\u00a0Cybersecurity Ventures reached out to its LinkedIn network for feedback on how experienced senior IT and security executives see the CISO reporting structure. As with any new trend, the opinions vary, but there\u2019s a lot of chatter on the topic.\u00a0\u201cA CISO should report to the role in the organization that allows them the budget and influence necessary to integrate effectively into the business,\u201d says Richard Wildermuth, director of cybersecurity and privacy at PwC, a Big 4 auditor and consulting house with experience around best practices for structuring and running global organizations, as well as enterprise information security operations.\u00a0\u201cOften there is an inherent conflict of interest with a CIO running the budget that reduces a CISO\u2019s ability to execute. However, I have yet to see a model that was flawless or inversely that couldn't work when there is support from the board and from the executive leadership team,\u201d he adds.\u00a0To put it another way, CISOs need to be in control of their own purse strings.\u00a0\u201cCIOs don't want to lose control, especially when their departments or divisions are the ones that least adhere to security controls,\u201d says Richard Hudson, vice president of cybersecurity & data protection at Cordium, a global risk management firm, and former CISO at Mizuho Bank. \u201cAny CISO or equivalent in that reporting role to the CIO today is already looking for a new job.\u201d\u00a0The point being, some CISOs don\u2019t want to be the scapegoat for inadequate IT security if it\u2019s not their doing.\u00a0\u201cChief Risk Officer (CRO) is the other reporting option that is becoming increasingly popular,\u201d says Steven Grossman, vice president of strategy and enablement at Bay Dynamics, an enterprise cyber risk analytics company. \u201cIn my opinion, one of the most important aspects of the CISO's reporting line is that his\/her perspective does not get altered (watered down) on its way to the CEO and the board.\u201d\u00a0Considering CROs typically don\u2019t report to CEOs, this reporting structure may distance CISOs from top executives.\u00a0\u201cAs a CIO, I have no problem with the CISO reporting to the CEO,\u201d says Shawn Riley, CIO at the State of North Dakota and former senior IT executive at Mayo Clinic. \u201cCIOs and CISOs need to be partners, but both have deliverables that should receive CEO attention in today's world.\u201d\u00a0\u201cCIOs and CISOs need to be partners, but both have deliverables that should receive CEO attention in today's world.\u201d\u2014 Shawn Riley, CIO, State of North Dakota\u00a0A working partnership between the CIO and the CISO is clearly a successful formula, regardless of who reports to whom.\u201cCISOs should report to the CEO with further exposure and responsibility to the board of directors,\u201d says Alp Hug, founder and COO at Zenedge, a DDoS and malware protection vendor. \u201cThe time has come for boardrooms to consider cybersecurity a key requirement of every organization's core infrastructure along with a financial system, HRMS, CRM, etc., necessary to ensure the livelihood and continuity of the business.\u201dIf a board of directors says defending their organization against cyber crime and cyber warfare is a top priority, then they\u2019ll demonstrate it by inviting their CISO into the boardroom.\u201cOf course CISOs and equivalents will say they should report to the CEO,\u201d says John Daniels, global vice president at HIMSS Analytics, a wholly owned subsidiary of HIMSS, a leading healthcare research and advisory firm. \u201cThat's what CIOs said when that role came about.\u00a0 There is no single cookie-cutter structure. ... There are many organization-specific factors that come into play (size, resources, etc.). Do what's best for the organization to achieve the risk level acceptable to the organization.\u201d\u00a0Healthcare providers and hospitals are among the most cyber-attacked industries, if not the most. With ransomware attacks on hospitals predicted to quadruple over the next five years, perhaps CISOs reporting directly to CEOs should be the cookie-cutter approach for those organizations.\u00a0Another option: The compliance leader (chief compliance officer, senior vice president of compliance, etc.) should report to the board, and the CISO should report to that compliance officer, says Drex DeFord, a member of the board of directors at CynergisTek, Inc., a leading cybersecurity and information management consulting firm dedicated to serving the healthcare industry.\u00a0\u201cThe board needs to understand the unfiltered risk. Some will say: In a perfect world, everyone collaborates well, and the reporting chain doesn\u2019t matter. So, of course, it does out here in the real world,\u201d says DeFord, who previously held CIO positions at Steward Healthcare, Seattle Children\u2019s Hospital, and Scripps Health, and was once CTO at the U.S. Air Force Office of the Surgeon General.If a board of directors doesn\u2019t understand their organization\u2019s cyber risks, it isn\u2019t likely they\u2019ll approve a large cybersecurity budget.CISOs play a critical role at Fortune 500, Global 2000, and mid-sized corporations. Don\u2019t be surprised if yours gets a ticket to the next boardroom dance.Have an opinion on this? Share here for a future story on this topic.\u00a0Visit SteveOnCyber.com to read all of my blogs and articles covering cybersecurity.Follow me on Twitter @CybersecuritySF, or connect with me on LinkedIn. Send story tips, feedback and suggestions to me here.