CISOs are gaining more influence in the boardroom, and it’s about time

The role of the CISO is growing in status as cybersecurity becomes an increasingly pressing issue for enterprises globally, new research shows.

A recent study from Splunk shows security execs are being granted more powers to make strategic decisions for the business and are fostering closer collaborative ties with the boardroom and CEO.

More than eight-in-ten CISOs now report directly to the CEO, a huge increase from 47% in 2023. Meanwhile, 83% participate in board meetings somewhat often or most of the time.

However, while six-in-ten acknowledge that board members with cybersecurity backgrounds have a more powerful influence on security decisions, only 29% say their board includes at least one member with cybersecurity expertise.

"As cybersecurity becomes increasingly central to driving business success, CISOs and their boards have more opportunities to close gaps, gain greater alignment, and better understand each other in order to drive digital resilience,” said Michael Fanning, chief information security officer at Splunk.

“For CISOs, that means understanding the business beyond their IT environments and finding new ways to convey the ROI of security initiatives to their boards. For board members, it means committing to a security-first culture and consulting the CISO as a primary stakeholder in decisions that impact enterprise risk and governance."

CISOs on the board builds strong security practices

Splunk’s research found that board members with a security background reported stronger relationships with security teams, and felt more confident about the organization’s security posture.

They were much less likely than other board members to express concern they weren't doing enough to protect the organization.

Working relationships where a board member had a security background were particularly good when it came to setting and aligning on strategic cybersecurity goals, with CISOs on the board delivering a three-fold improvement.

Other areas to benefit included communicating progress against milestones and security goal achievements, along with budgeting adequately to meet goals.

There were, though, differences in priorities. More than half of CISOs thought innovating with emerging technologies was a priority, compared with just a third for board members. A similar proportion of CISOs prioritized upskilling or reskilling security employees, versus only 27% for boards.

"As the role of the CISO grows more complex and critical to organizations, CISOs must be able to balance security needs with business goals, culture, and articulate the value of security investments," commented Shefali Mookencherry, chief information security and privacy officer at the University of Illinois Chicago.

"By establishing strong relationships across various departments and stakeholders, CISOs can provide guidance and leadership to propel cybersecurity and privacy programs."

CISOs face regulatory challenges

As regulatory environments have become more complex, expansive, and punitive, CISOs are having to deliver faster incident reporting, and are facing more liability.

However, only 15% of CISOs ranked compliance status as a top performance metric, a significant contrast to 45% of boards. Nearly a quarter (21%) of CISOs said they'd been pressured not to report a compliance issue, although 59% said they would become a whistleblower if their organization was ignoring compliance requirements.

Meanwhile, cyber budgets reflect inconsistent support and misalignment, with three-in-ten CISOs saying they receive the appropriate budget for cybersecurity initiatives and accomplishing their security goals, compared with four-in-ten board members who think budgets are adequate.

Other woes included concerns that they're not doing enough, with 18% revealing they were unable to support a business initiative because of budget cuts in the last 12 months. Nearly two-thirds said that lack of support led to a cyber attack.