Companies are moving to avoid internal conflicts of interest by requiring cybersecurity leaders to report to executives outside the technology group, including the chief executive.