Chief Information Security Officers (CISOs) are taking on more influential roles within organisations, according to The CISO Report 2025 released by Splunk in partnership with Oxford Economics. The report reveals a dramatic rise in CISOs reporting directly to CEOs and participating actively in board meetings, indicating their growing strategic importance in businesses worldwide.
The report found that 82% of CISOs now report directly to the CEO, a significant jump from 47% in 2023. Furthermore, 83% of CISOs are involved in board meetings either somewhat often or most of the time. While these developments underscore their elevated role, the findings also highlight gaps in board-level cybersecurity expertise, with only 29% of CISOs reporting that their boards include at least one member with a cybersecurity background.
CISO-board collaboration improves security posture
CISOs are increasingly recognised as key stakeholders in enterprise risk and governance, with their influence extending beyond IT environments. Michael Fanning, Chief Information Security Officer at Splunk, emphasised the importance of collaboration between CISOs and boards, โFor CISOs, that means understanding the business beyond their IT environments and finding new ways to convey the ROI of security initiatives to their boards. For board members, it means committing to a security-first culture and consulting the CISO as a primary stakeholder in decisions that impact enterprise risk and governance.โ
The report showed that boards with members experienced in cybersecurity tend to foster stronger relationships with their CISOs and exhibit greater confidence in their organisationโs security measures. Only 37% of board members with cybersecurity expertise expressed concern about inadequate organisational protection, compared to 62% of their peers.
In addition, boards with CISO representation reported higher alignment on cybersecurity goals (80% versus 27% without a CISO member), better communication of progress (60% versus 16%), and more effective budgeting (50% versus 24%).
Strong CISO-board relationships also correlate with improved collaboration across organisations. CISOs who reported strong ties with their boards showed better integration with IT operations (82% versus 69%) and engineering teams (74% versus 63%). These CISOs were also more likely to adopt generative AI technologies for threat detection, data analysis, incident response, and proactive threat hunting.
Gaps in priorities and skills remain
Despite increased collaboration, gaps persist between CISOs and boards. For example, 52% of CISOs identified emerging technologies as a top priority, while only 33% of board members shared this view. Similarly, upskilling security employees was deemed important by 51% of CISOs, compared to just 27% of board members.
CISOs face growing demands to develop business-related skills. Boards expect CISOs to improve their business acumen (55% for boards versus 40% for CISOs), emotional intelligence (45% versus 35%), and communication skills (52% versus 47%). However, these expectations add complexity to the role, with 53% of CISOs reporting increased job challenges since they began their roles.
Another significant disconnect lies in performance metrics. While 46% of CISOs believe achieving security milestones indicates success, only 19% of board members agreed. Maintaining compliance remains critical, though it ranks as a top performance metric for just 15% of CISOs compared to 45% of boards.
Budget cuts and compliance pressures
Cybersecurity budgets remain a challenge, with only 29% of CISOs stating their budgets are sufficient to meet goals. This contrasts with 41% of board members who believe budgets are adequate. Budget constraints have led to reduced tools (50%), hiring freezes (40%), and cuts to security training (36%). Alarmingly, 18% of CISOs reported being unable to support business initiatives due to budget cuts, with 64% linking these limitations to cyberattacks.
The regulatory landscape also adds pressure, as only 15% of CISOs prioritise compliance metrics. However, 59% said they would act as whistleblowers if their organisations ignored compliance requirements.
Splunkโs report highlights the urgent need for greater alignment between CISOs and boards, as cybersecurity continues to play a critical role in ensuring organisational resilience and success in a rapidly evolving threat landscape.
