For years, Chief Information Security Officers (CISOs) have worked to transform their roles from back-office defenders to strategic advisors. That effort is paying off, as a majority now report directly to CEOs and participate in board meetings. However, instead of their jobs becoming easier, many CISOs report that the challenges they face have only grown more complex.
A recent survey by Splunk revealed that while more CISOs are present at the decision-making table, they continue to struggle with board buy-in and adequate budgets to meet the rising tide of cybersecurity threats.
CISOs Gain Influence but Face Mounting Challenges
The numbers tell a story of progress. Splunk’s survey found that 82% of CISOs now report directly to the CEO, a significant jump from just 47% two years ago. Additionally, 83% of CISOs participate regularly in board meetings. These milestones reflect a growing recognition of cybersecurity’s critical role in modern business.
But progress comes with strings attached. The expanded scope of the CISO role now includes mastering business metrics, legal compliance, and effective communication with non-technical stakeholders. This shift has elevated CISOs from IT managers to strategic players, but it’s also left many feeling overwhelmed. A majority—53%—said their jobs have become more difficult since taking on their current roles.
Boards and CISOs Struggle to Align on Priorities
One of the most persistent challenges for CISOs is securing the necessary funding for cybersecurity initiatives. Only 29% of CISOs surveyed said they have adequate budgets to address today’s threat environment. Strikingly, 41% of non-CISO board members expressed satisfaction with their company’s cybersecurity investments, highlighting a disconnect in perceived needs versus allocated resources.
This misalignment stems, in part, from differing measures of success. CISOs prioritize risk reduction and threat mitigation, while boards often focus on cost efficiency and return on investment. This gap complicates conversations about funding and resource allocation, leaving CISOs to advocate harder for essential protections.
Cybersecurity-Savvy Boards Make a Difference
Despite the hurdles, there’s a silver lining: CISOs working with cybersecurity-knowledgeable boards report better outcomes. Boards with members who have cybersecurity experience are more likely to collaborate effectively on strategy, goal setting, and budgeting.
Jessica Sica, CISO at Weave, shared her positive experience working with a security-conscious board. While she reports to the company’s chief legal officer, Sica regularly meets with the executive team and board members. “Having their support and voice makes it easier to get my job done,” she said. However, Sica’s case is an outlier—only 29% of CISOs surveyed have the benefit of a board with cybersecurity expertise.
The Path Forward: Building Better Collaboration
To bridge the gap between CISOs and boards, mutual understanding must improve. Michael Fanning, CISO of Splunk, emphasized the importance of collaboration: “As cybersecurity becomes increasingly central to driving business success, CISOs and their boards have more opportunities to close gaps, gain greater alignment, and better understand each other.”
Fanning pointed to two key areas for progress:
- Educating Boards: Boards must understand the nuances of cybersecurity to make informed decisions.
- CISOs as Business Partners: CISOs must continue to develop their business acumen and align security goals with broader company objectives.
These efforts are essential to fostering digital resilience and ensuring that cybersecurity serves as an enabler rather than a hurdle for business success.
