In a global study of the goals, priorities and strategies of chief information security officers (CISOs), security analytics and observability supplier Splunk and economic advisory firm Oxford Economics found that 82% of CISOs now report directly to CEOs, a dramatic increase from 47% in 2023.
The CISO report 2025 also revealed that 83% of CISOs participate in board meetings somewhat often or most of the time. However, only 29% of CISOs said their board includes at least one member with cyber security expertise.
The global study was conducted in June and July 2024 with Oxford Economics. It surveyed 600 respondents, 500 of them CISOs, CSOs, or equivalent security leaders, and 100 board members.
Respondents were drawn from 10 countries: Australia, France, Germany, Italy, India, Japan, New Zealand, Singapore, the UK, and the US. They represented 16 industries, including agriculture, financial services, government, healthcare, manufacturing and retail.
Oxford Economics also interviewed eight CISOs and board members.
Disconnect persists
Despite finding increased CISO participation at the highest leadership level of companies and other organisations, the research also discovered that gaps still exist between CISOs and boards.
The largest gaps included innovating with emerging technologies (52% of CISOs make it a priority, versus 33% for board members), upskilling or reskilling security employees (51% for CISOs, 27% for boards), and contributing to revenue growth initiatives (36% for CISOs, 24% for boards).
Only 15% of CISOs ranked compliance status as a top performance metric – a significant difference with boards, at 45%. Some 21% of CISOs said they had been pressured not to report a compliance issue, and 59% said they would become a whistleblower if their organisation was flouting compliance requirements.
Only 29% of CISOs said they receive the proper budget for cyber security initiatives and achieving their security goals, compared with 41% of board members who think cyber security budgets are just fine.
Some 64% of CISOs said the current threat and regulatory environment makes them concerned they’re falling short, 18% said they had been unable to support a business initiative because of budget cuts in the prior 12 months, and 64% said lack of support had led to cyber attacks. Half of the CISOs also said cost-saving initiatives had reduced the arsenal of security tools at their disposal, led to hiring freezes (40%), and reduced or got rid of security training (36%).
Almost all (94%) CISOs reported being victims of a disruptive cyber attack, with 55% experiencing them at least a couple of times and another 27% experiencing them many times.
Life and times of cyber security professionals
This nuanced picture, suggesting an enduring disconnect between cyber security professionals and boards, despite some progress, is borne out by ongoing research into the life and times of cyber security professionals that Informa TechTarget’s Enterprise Strategy Group publishes, in association with the Information Systems Security Association (ISSA).
As the role of the CISO grows more complex and critical to organisations, CISOs must be able to balance security needs with business goals and culture, and articulate the value of security investments Shefali Mookencherry, University of Illinois Chicago
In the most recent, and seventh iteration of this research, Jon Oltsik, analyst emeritus, and Bill Lundell, senior director of syndicated research, said: “Cyber security professionals look to their CISOs to champion their cause with executives and in the boardroom. While this is happening, 24% of respondents believe CISOs aren’t participating enough with corporate leaders. The dangerous threat landscape and new regulations will likely amplify CISO voices in the near future. Meanwhile, cyber security professionals stress that CISOs need strong communication and leadership skills most, reflecting the business nature of the job.”
That report found that nearly two-thirds of respondents said their CISO regularly interacts with the board of directors, but just more than half said this level of interaction was adequate.
In the Splunk report, 53% of CISOs said their responsibilities and job expectations have become more difficult since they took the job.
When asked what skills CISOs should develop, the biggest gaps were:
Business acumen (55% for boards, 40% for CISOs).
Emotional intelligence (45% for boards, 35% for CISOs).
Communication (52% for boards, 47% for CISOs).
Regulation and compliance knowledge (44% for boards, 57% for CISOs).
Splunk’s own CISO, Michael Fanning, said in connection with the report: “As cyber security becomes increasingly central to driving business success, CISOs and their boards have more opportunities to close gaps, gain greater alignment and better understand each other to drive digital resilience.
“For CISOs, that means understanding the business beyond their IT environments and finding new ways to convey the ROI [return on investment] of security initiatives to their boards. For board members, it means committing to a security-first culture and consulting the CISO as a primary stakeholder in decisions that impact enterprise risk and governance. Bringing these groups together requires educating boards on the details of cyber security, and for CISOs to understand the language and needs of the business while also making security a business enabler.”
Shefali Mookencherry, chief information security and privacy officer at the University of Illinois Chicago, added: “Leading and managing the cyber security and privacy programmes at a higher education institution requires strong collaboration and communication with everyone from board members to privacy leaders, staff, faculty and students to ensure security is integrated into all aspects of the organisation.
“As the role of the CISO grows more complex and critical to organisations, CISOs must be able to balance security needs with business goals and culture, and articulate the value of security investments. By establishing strong relationships across various departments and stakeholders, CISOs can provide guidance and leadership to propel cyber security and privacy programmes.”
The study found board members with a CISO background report having stronger relationships with security teams and feel more confident about the organisation’s security posture.
Board respondents themselves reported excellent or very good working relationships between CISOs and boards in setting and aligning strategic cyber security goals – 80% for boards with a CISO member, versus 27% for boards without a CISO member. Boards with CISOs emerged as boasting better communication about project progress and hitting goals – 60% for boards with a CISO member, versus 16% for boards without a CISO member.
CISOs with good board relationships are also more likely to be given the go-ahead for generative artificial intelligence (GenAI) use cases, such as creating threat detection rules (43% versus 31% of other CISOs), analysing data sources (45% versus 28% of other CISOs), incident response and forensic investigations (42% versus 29% of other CISOs), and proactive threat hunting (46% versus 28% of other CISOs).