The role of the Chief Information Security Officer (CISO) is rapidly evolving, establishing itself as a key figure in the strategic decision-making of organizations. According to the CISO Report 2025, prepared by Splunk Inc. in collaboration with Oxford Economics, CISOs are gaining greater influence in the C-suite and boards of directors worldwide.
The report reveals that 82% of surveyed CISOs now report directly to the CEO, a significant increase from 47% in 2023. In addition, 83% of them regularly participate in board meetings, demonstrating a structural shift in the governance of cybersecurityCybersecurity solutions are essential in today’s era. However, challenges remain in aligning strategies and representing security experts on boards.
Cybersecurity and Business Strategy: The New Role of the CISO
The rise of cyberattacks and stricter regulations has led companies to place greater importance on digital security. According to Michael Fanning, CISO of Splunk, this new prominence means that CISOs must understand the business beyond their technological environment, translating security investments into terms of return on investment (ROI) and digital resilience.
Despite the growing recognition of cybersecurity as a critical factor for business success, there is a knowledge gap between CISOs and boards of directors. Only 29% of surveyed CISOs indicated that their board includes at least one member with cybersecurity expertise, which may limit the effectiveness of decision-making in this area.
Boards of Directors with Cybersecurity Expertise: A Positive Impact
The report highlights that boards that include members with a background in cybersecurity tend to have a better relationship with security teams and greater confidence in the organization’s security posture.
The numbers support this:
- 80% of boards with a CISO among their members feel there is a clear alignment on strategic cybersecurity objectives, compared to 27% of boards without a CISO.
- 60% of these boards highlight effective communication regarding security progress and achievements, versus 16% in boards without a CISO.
- 50% of boards with a CISO state that the budgets allocated for security are adequate, compared to just 24% in boards without a CISO.
Additionally, CISOs with strong relationships with boards of directors report better collaboration with other key departments, such as IT operations (82% versus 69% of other CISOs) and engineering (74% versus 63% of other CISOs).
Priorities and Challenges: The Gap Between CISOs and Boards
While CISOs and boards are increasingly aligned on the importance of cybersecurity, there remain differences in strategic priorities. Among the main discrepancies are:
- Innovation with emerging technologies: 52% of CISOs consider it a priority, compared to 33% of board members.
- Training of security personnel: 51% of CISOs view it as crucial, compared to 27% of boards.
- Contribution to revenue growth initiatives: 36% of CISOs highlight this, versus 24% of boards.
Moreover, boards expect CISOs to expand their skills in business leadership, but 53% of CISOs feel their responsibilities have increased in complexity since taking the role. The main discrepancies in prioritized skills include:
- Business Acumen: 55% of boards see it as essential, compared to 40% of CISOs.
- Emotional Intelligence: 45% for boards, compared to 35% of CISOs.
- Effective Communication: 52% for boards, against 47% of CISOs.
- Regulatory Knowledge and Compliance: 44% for boards, while 57% of CISOs already consider it key.
Regulatory Compliance: A Growing Concern
The tightening of regulations on cybersecurity and data protection is increasing pressure on CISOs. However, the report reveals a misalignment in the valuation of regulatory compliance within organizations:
- Only 15% of CISOs consider compliance status as a key performance indicator (KPI), compared to 45% of boards of directors.
- 21% of CISOs admit to being pressured to not report a compliance issue.
- 59% of CISOs stated that, should their organization ignore regulatory requirements, they would be willing to blow the whistle.
This disconnect between CISOs and boards may compromise organizational integrity and increase the risk of regulatory penalties.
Insufficient Budgets: A Latent Risk
One of the main problems facing CISOs is the lack of financial support for security initiatives.
- Only 29% of CISOs feel they have adequate budgets to achieve their security goals, compared to 41% of boards of directors who believe the allocations are sufficient.
- 64% of CISOs express concern about not doing enough given the current threat landscape and regulations.
- 18% of CISOs stated that in the last 12 months, they were unable to support a business initiative due to budget cuts.
- 64% of CISOs indicated that the lack of investment in security resulted in a cyberattack.
Budget cuts have had tangible consequences on cybersecurity strategies, with negative effects on:
- Reduction of security tools and solutions (50%).
- Hiring freezes in security (40%).
- Decrease or elimination of security training (36%).
The impact of these measures is evident: 94% of CISOs have been victims of a disruptive cyberattack, with 55% experiencing them occasionally and 27% suffering them frequently.
Conclusion: The CISO as a Strategic Pillar
The report from Splunk and Oxford Economics highlights that the role of the CISO has evolved from being a technical expert to becoming a strategic leader with a voice in senior management. However, challenges remain that must be addressed to maximize their impact on the business:
✔ Increased representation of cybersecurity experts on boards to enhance decision-making.
✔ Alignment of priorities between CISOs and boards in technological innovation and security training.
✔ Adequate allocation of security budgets to avoid operational and regulatory risks.
✔ Strengthening regulatory compliance as part of the business strategy.
As cyber threats grow and sector regulation increases, CISOs will continue to gain prominence in the C-suite and boards of directors. Those companies that manage to integrate cybersecurity into their business strategy will be better prepared to face the challenges of the digital economy.
via: Splunk