In a significant shift, chief information security officers (CISOs) have finally found a place at the boardroom table, with the authority to make critical decisions. However, despite this progress, many CISOs are facing more challenges than ever, contrary to what was anticipated.
According to a recent survey conducted by Splunk, 82% of CISOs now report directly to the CEO, a significant increase from just 47% in 2023. Additionally, 83% of CISOs stated that they are actively involved in board meetings. This shift in reporting structure has demanded that CISOs enhance their skills, focusing on strengthening their communication abilities and familiarizing themselves with boardroom terminology related to key performance indicators (KPIs) and return on investment (ROI). Moreover, CISOs have had to broaden their knowledge to encompass legal and compliance issues, reflecting the expanded scope of their role beyond traditional IT security.
Previously, CISOs were often marginalized within organizations, lacking the opportunity to provide context for their decisions and frequently bearing the blame for major security breaches. This status quo resulted in high levels of burnout among CISOs, with the average tenure in the role only lasting two to four years by 2020. Recognizing the need for change, a consensus emerged among CISOs by 2023 that the role required a reevaluation.
Despite the newfound access to the C-suite, many CISOs have found it challenging to gain board buy-in for cybersecurity initiatives. Only 29% of survey respondents stated that they have adequate budgetary resources to address current threat landscapes, while 41% of non-CISO board members expressed satisfaction with existing levels of cybersecurity investment. Consequently, 53% of CISOs reported that their roles had become more demanding since assuming their positions, signaling that the transition to the boardroom has not necessarily simplified their responsibilities.
The survey also highlighted the importance of having board members with cybersecurity expertise. Boards with CISO experience were found to collaborate more effectively with cybersecurity teams, particularly in strategy development, goal setting, and budget allocation. Jessica Sica, CISO at Weave, noted that her relationship with leadership had facilitated her job responsibilities, owing to the cybersecurity awareness of the company’s board.
While progress has been made in integrating cybersecurity into boardroom discussions, there remains a need for more cybersecurity experts on boards. Michael Fanning, CISO of Splunk, emphasized the importance of educating boards on cybersecurity intricacies and aligning the language and priorities of CISOs with those of the business to enhance digital resilience. As cybersecurity continues to play a vital role in driving business success, bridging the gap between CISOs and boards is crucial for achieving effective cybersecurity strategies.