Companies need strong leadership and processes so that their digital transformation initiatives can be protected and secured with professional security measures. This field of activity is increasingly being assigned to a Chief Information Security Officer (CISO). This person should identify, communicate, and manage information risks. Management should also extend beyond the purely technical area to the company’s legal department and executive board. However, a direct reporting line to the board does not guarantee that IT security is really in the hands of executive management and given the priority that it should have within the company. Every organization must find its own chain of responsibility, which ensures that the concerns of the head of security are actually listened to and actioned. Ultimately, the specific design of governance structures will also have to be the result of a comprehensive risk analysis within the company. In many cases, close cooperation with the CEO will be a good way to accomplish this. The reporting line of CISO-to-Chief Compliance Officer (CCO)- to-CEO can also create a good balance between the CIO, who is driving digital change, and the CISO, who is concerned about IT security issues.