This thesis explores the role and challenges of Chief Information Security Officers (CISOs)—or their functional equivalents—in cyber security governance and policy resilience within Swedish municipalities. As cyber threats increase and regulatory demands grow under frameworks like NIS2 and GDPR, municipalities are under pressure to strengthen their cybersecurity capabilities. However, the effectiveness of these efforts depends heavily on governance structures and the individuals responsible for leading cybersecurity work. The study adopts a qualitative case study approach, focusing on eight Swedish municipalities with 14 participants. Semi-structured interviews and document analysis were conducted to investigate three main research questions concerning:(1) the role of CISOs in local cybersecurity governance, (2) the challenges they face in carrying out their responsibilities, and (3) how governance structures influence municipal cybersecurity resilience. The findings reveal significant differences in how cybersecurity is structured, resourced, and governed across municipalities. Key challenges include limited authority, budgetary constraints, competence shortages, and unclear organizational mandates. The application of Agency Theory highlights the misalignment between responsibility and control, while Resilience Theory provides insight into how governance affects adaptive capacity in response to cyber threats. The study concludes that formalizing cybersecurity roles, improving leadership engagement, and aligning local governance with national frameworks are essential to strengthening cybersecurity resilience in Swedish municipalities. These insights contribute to both academic understanding and practical improvements in public-sector cybersecurity governance.