Splunk in collaboration with Oxford Economics, released The CISO Report 2025, a global research report detailing the goals, priorities, and business strategies for Chief Information Security Officers (CISOs) and their boards of directors.
The CISO’s rise to the C-suite comes with more engagement with the boardroom, an audience with the CEO, and the power to make strategic decisions for the business. Notably, 82 per cent of surveyed CISOs now report directly to the CEO, a significant increase from 47 per cent in 2023. In addition, 83 per cent of CISOs participate in board meetings somewhat often or most of the time. While 60 per cent acknowledge that board members with cybersecurity backgrounds more heavily influence security decisions, only 29 per cent of CISOs say their board includes at least one member with cybersecurity expertise.
“As cybersecurity becomes increasingly central to driving business success, CISOs and their boards have more opportunities to close gaps, gain greater alignment, and better understand each other in order to drive digital resilience,” said Michael Fanning, Chief Information Security Officer, Splunk. “For CISOs, that means understanding the business beyond their IT environments and finding new ways to convey the ROI of security initiatives to their boards. For board members, it means committing to a security-first culture and consulting the CISO as a primary stakeholder in decisions that impact enterprise risk and governance. Bringing these groups together requires educating boards on the details of cybersecurity, and for CISOs to understand the language and needs of the business while also making security a business enabler.”
“Leading and managing the cybersecurity and privacy programmes at a higher education institution requires strong collaboration and communication with everyone from board members to privacy leaders, staff, faculty, and students to ensure security is integrated into all aspects of the organisation,” said Shefali Mookencherry, Chief Information Security and Privacy Officer, University of Illinois Chicago. “As the role of the CISO grows more complex and critical to organisations, CISOs must be able to balance security needs with business goals, culture, and articulate the value of security investments. By establishing strong relationships across various departments and stakeholders, CISOs can provide guidance and leadership to propel cybersecurity and privacy programmes.”
The impact of CISO-board alignment
Board members with a CISO background report stronger relationships with security teams and feel more confident about the organisation’s security posture. They are less likely than other board members to express concern they are not doing enough to protect the organisation (37 per cent versus 62 per cent survey average). Board respondents reported excellent or very good working relationships between the CISOs and board in the following areas:
- Setting and aligning on strategic cybersecurity goals (80 per cent for boards with a CISO member versus 27 per cent for boards without a CISO member)
- Communicating progress against milestones, security goal achievement and plan of record (60 per cent for boards with a CISO member versus 16 per cent for boards without a CISO member)
- Budgeting adequately to meet goals (50 per cent for boards with a CISO member versus 24 per cent for boards without a CISO member)
CISOs with healthy board relationships also tend to have better collaboration throughout the organisation, reporting particularly strong partnerships with IT operations (82 per cent versus 69 per cent of other CISOs) and engineering (74 per cent versus 63 per cent of other CISOs). CISOs with good board relationships are also more likely to be given the ability to pursue use cases for generative AI, such as creating threat detection rules (43 per cent versus 31 per cent of other CISOs), analysing data sources (45 per cent versus 28 per cent of other CISOs), incident response and forensic investigations (42 per cent versus 29 per cent of other CISOs), and proactive threat hunting (46 per cent versus 28 per cent of other CISOs).
Bridging the CISO-board divide: priorities, skills, and measuring success
While CISOs and boards indicate closer alignment on security priorities, gaps still persist. The largest gaps in top priorities between CISOs and boards include:
- Innovating with emerging technologies (52 per cent of CISOs deem it a priority versus 33 per cent for board members)
- Upskilling or reskilling security employees (51 per cent for CISOs versus 27 per cent for boards)
- Contributing to revenue growth initiatives (36 per cent for CISOs versus 24 per cent for boards)
Boards have high expectations around CISOs building new skills to become better business leaders. However, learning new skills makes the CISO’s job more complex, with 53 per cent saying their responsibilities and job expectations have become more difficult since they took the job. When asked what skills CISOs should develop, the biggest gaps in importance include:
- Business acumen (55 per cent for boards versus 40 per cent for CISOs)
- Emotional intelligence (45 per cent for boards versus 35 per cent for CISOs)
- Communication (52 per cent for boards versus 47 per cent for CISOs)
- Regulation and compliance knowledge (44 per cent for boards versus 57 per cent for CISOs)
While boards and CISOs agree on core cybersecurity KPIs, 79 per cent of CISOs say KPIs for their security teams have changed substantially over the recent years. Forty-six per cent of CISOs said attaining security milestones was indicative of their success, compared to only 19 per cent of board respondents.
Maintaining compliance is business critical
Regulatory environments have become more complex, expansive, and punitive, requiring faster incident reporting and placing more liability squarely on CISOs’ shoulders. While maintaining compliance is vital to the business, only 15 per cent of CISOs ranked compliance status as a top performance metric, a significant disconnect compared to 45 per cent of boards. Twenty-one per cent of CISOs revealed they had been pressured not to report a compliance issue, however, 59 per cent said they would become a whistleblower if their organisation was ignoring compliance requirements.
Budget cuts have serious consequences
Cyber budgets reflect inconsistent support and misalignment, with 29 per cent of CISOs saying they receive the proper budget for cybersecurity initiatives and accomplishing their security goals, compared to 41 per cent of board members who think cybersecurity budgets are adequate. Sixty-four per cent of CISOs reveal that the current threat and regulatory environment make them concerned they’re not doing enough. Eighteen per cent of CISOs revealed they were unable to support a business initiative because of budget cuts in the last 12 months, and 64 per cent said that lack of support led to a cyberattack. CISOs also reported reduced security solutions and tools (50 per cent), security hiring freezes (40 per cent), and decreased or eliminated security training (36 per cent) as top cost-saving measures. Ninety-four per cent of CISOs report being victims of a disruptive cyberattack, with 55 per cent experiencing them at least a couple of times, and another 27 per cent experiencing them many times.
Discussion about this post