In a recent global study by Splunk and Oxford Economics, a significant shift has emerged in the role of Chief Information Security Officers (CISOs). Now, 82% of CISOs report directly to CEOs, a stark rise from just 47% in 2023. The study, conducted in June and July 2024, surveyed 600 participants—500 were CISOs or security leaders and 100 were board members. Participants came from ten countries, including the US, UK, Japan, and India, covering a range of industries from healthcare to finance.
CISOs are participating more frequently in board meetings, with 83% attending often. Despite this increased involvement, only 29% of boards include even one member with cyber security expertise. This points to a concerning disconnect between CISOs and board members. For example, 52% of CISOs prioritize innovating with emerging technologies, while only 33% of board members share this focus. Likewise, 51% of CISOs aim to upskill security teams, in contrast to just 27% of boards.
Compliance metrics also showcase this gap. Only 15% of CISOs place top importance on compliance status, compared to 45% of boards. Alarmingly, 21% of CISOs reported feeling pressured not to disclose compliance issues, and 59% would consider whistleblowing if their organization violated compliance rules. Budget concerns add another layer: only 29% of CISOs feel adequately funded, while 41% of board members are satisfied with their cyber security budgets.
The threat landscape looms large. Around 64% of CISOs feel inadequate in addressing current threats and regulations. Some have had to halt business initiatives due to budget cuts in the past year. Nearly all CISOs reported experiencing a disruptive cyber attack, and many highlighted that cost-saving measures had hampered their security capabilities, such as freezing hiring (40%) and reducing security training (36%).
Research from Informa TechTarget adds to this picture, emphasizing the changing dynamics in the relationship between cyber security professionals and organizational leaders. While nearly two-thirds say CISOs regularly engage with the board, a little over half find this interaction adequate. Many cyber security professionals look to their CISOs for advocacy in the boardroom, yet 24% feel they lack sufficient presence among corporate leaders.
In terms of skills development, gaps remain. A significant number of board members rated business acumen and emotional intelligence as crucial skills that CISOs need to enhance. Splunk’s CISO, Michael Fanning, noted that as security becomes integral to business success, aligning CISOs and boards will become even more critical. He stressed that CISOs must understand business implications beyond IT, while boards should foster a security-first culture.
Shefali Mookencherry from the University of Illinois Chicago highlighted the necessity of strong communication across various organizational layers. Successful integration of security into an organization demands collaboration. The study reveals that board members who have a CISO on their team enjoy stronger relationships with security teams and greater confidence in their organization’s overall security posture.
When boards include a CISO, 80% report excellent collaboration in establishing cybersecurity goals and better communication on project progress. Furthermore, CISOs with favorable board relationships are more likely to gain approval for advanced security measures, like generative artificial intelligence applications.