Cisco has released findings from Splunk’s annual CISO Report, From Risk to Resilience in the AI Era, highlighting how the chief information security officer role is expanding as organisations accelerate AI adoption and face a more complex threat landscape.
Globally, 53% of CISOs say their responsibilities and expectations have become harder over the past year, reflecting broader accountability across cybersecurity, operational resilience and AI governance. In Australia and New Zealand, the data suggests that pressure is particularly acute, with 91.4% of CISOs agreeing the role has become more complex and difficult since they took on the position.
The findings point to a shift in the CISO mandate, from technical oversight to enterprise-wide risk stewardship. In ANZ, 82.9% of CISOs say they are concerned about personal liability for cybersecurity incidents. Notably, 44.3% say they would act as a whistleblower if their organisation was wilfully ignoring security best practice or compliance requirements and putting the business at risk — an indicator of rising personal and ethical stakes attached to the role.
AI adoption is a central theme of the report. While 64.6% of ANZ respondents say they have exceeded expectations in automation, concerns about governance and oversight remain prominent.
Almost 93% use mean time to detect (MTTD) and mean time to respond (MTTR) to measure the value AI brings to their security programs, underscoring the operational focus on measurable efficiency gains.
However, 88.6% rank missed alerts or false positives due to hallucinations as their primary concern around agentic AI, and half cite lack of human oversight or AI making critical decisions as a key risk. In response, 84.3% say they are enhancing AI governance capabilities and controls.
Marc Caltabiano, Regional Vice President, ANZ at Splunk, said the role is broadening beyond traditional technology investment. “The CISO role in ANZ is expanding in both scope and accountability. As AI becomes woven into the fabric of business operations, the mandate is moving beyond technology investment to governance, regulatory readiness and broader executive risk ownership,” he said.
He added that while AI can improve operational effectiveness, human judgement remains central. “AI is a powerful enabler, but accountability and judgement still rely on human expertise and creativity.”
Beyond AI, the report highlights persistent workforce pressures. Ninety percent of ANZ CISOs identify threat hunting and cyber threat intelligence as the skill sets most lacking in their organisations. Burnout also remains a concern, with 50% reporting moderate burnout and 21.4% reporting significant burnout. Looking ahead, 48.6% expect some cybersecurity skills gaps to remain unfilled, while 31.4% anticipate most gaps will persist.
Interestingly, the pace of technological advancement is seen as a greater near-term challenge than geopolitics. Just over half (51.4%) of ANZ respondents say developments such as AI and quantum computing present a significant challenge to their cybersecurity programs, compared with 47.1% who cite increasingly sophisticated threat actors. By contrast, 67.1% view geopolitical and macroeconomic uncertainty as a minimal challenge over the next 12 months.
Demonstrating return on investment remains another pressure point. Nearly 89% cite conflicting priorities between business units and security teams as a barrier to accurately demonstrating ROI, while 81.4% point to a lack of clear KPIs. At the same time, 88.6% rank reduction in security incidents as the most representative outcome of a successful cybersecurity program — a metric that can be difficult to attribute directly to specific investments.
Taken together, the ANZ data reflects a CISO community navigating heightened accountability, rapid technological change and ongoing workforce strain. As AI becomes embedded across enterprise operations, the report suggests the challenge for security leaders is less about adoption and more about governance, alignment and sustaining human oversight in increasingly automated environments.
You can read the full report here.
