CISOs Are Gaining C-Suite Swagger, but Has It Come With a Cost?CISOs Are Gaining C-Suite Swagger, but Has It Come With a Cost?

The number of CISOs who report directly to the CEO is up sharply in recent years, but many still say it's not enough to secure adequate resources.

Becky Bracken, Senior Editor, Dark Reading

January 24, 2025

3 Min Read
A businessman jumping over a hurdle
Source: TongRo Images vial Alamy Stock Photo

After years of leaning into learning the ethos of business leadership and risk management, chief information security officers (CISOs) have gotten their seat at the boardroom table and the power to make decisions. But even so, many say their jobs are more arduous than ever, and that's not how it was supposed to happen.

A full 82% of CISOs who responded to a recent survey from Splunk said they report directly to the CEO, up from just 47% in 2023. In addition, 83% said they participate regularly in board meetings. For their part, CISOs have had to skill up in kind, honing communications skills and learning the boardroom lingo of KPIs and ROI, not to mention become more familiar with legal and compliance concerns. In other words, the scope of the CISO role has expanded far beyond just IT security.

Chart: CISOs and boards measure success differently

Source: Splunk, the CISO Report 2025

It's a big change; for years, CISOs were relegated further down the org chart, receiving mandates without any opportunity to provide context to the business. They also became the ones to take the blame for major breaches, landing some in legal entanglements. And that status quo was leading to massive burnout, with the average CISO tenure standing at just two to four years in 2020. By 2023, there was widespread consensus the CISO role needed a rethink.

Related:DoJ Busts Up Another Multinational DPRK IT Worker Scam

Hence, more CISOs gaining a seat in the C-suite. And theoretically, putting a CISO in the middle of high-level decision making should help push the case for more cyber investment. But that hasn't been the experience for many, who find that board buy-in is still a challenge. In fact, only 29% of the CISO survey respondents reported they have the necessary budget to keep up with the current threat environment; in contrast, 41% of non-CISO board members said they're satisfied with cybersecurity investment levels.

In all, 53% of CISO respondents in the Splunk survey said their job has actually become "more difficult since they took the job," seat at the table or no.

CISOs With Board Buy-In Do Better

The data also points to a clear-cut solution: Boards with members with cybersecurity backgrounds make a huge difference. Board members with CISO experience work better with cybersecurity teams on setting strategy, goal setting, and critically, budgeting.

Those results mirror the experience of Jessica Sica, CISO at software company Weave. Although she says her role reports to the chief legal officer rather than the CEO, she "regularly" meets with the whole C-team, as well as the board and audit teams. But rather than bogging her down, Sica says her relationship with leadership has made her job easier. But, she adds, Weave's board is cybersecurity savvy.

Related:War Game Pits China Against Taiwan in All-Out Cyberwar

"I have a very security-conscious boss, and we have a security-concerned board," Sica says. "Having their support and voice makes it easier to get my job done."

Her experience, however, is a minority one: The survey showed only 29% of CISOs had a board with at least one cyber expert.

Progress requires CISOs to keep pushing cyber into the C-suite conversation, and boards to recognize the need to add more cybersecurity experts to their ranks, according to Michael Fanning, CISO of Splunk.

"As cybersecurity becomes increasingly central to driving business success, CISOs and their boards have more opportunities to close gaps, gain greater alignment, and better understand each other to drive digital resilience," Fanning said in a statement. "Bringing these groups together requires educating boards on the details of cybersecurity, and for CISOs to understand the language and needs of the business while also making security a business-enabler."

Read more about:

CISO Corner

About the Author

Becky Bracken, Senior Editor, Dark Reading

Becky Bracken, Senior Editor, Dark Reading

Dark Reading

Becky Bracken is a veteran multimedia journalist covering cybersecurity for Dark Reading.

See more from Becky Bracken, Senior Editor, Dark Reading
Keep up with the latest cybersecurity threats, newly discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.
Subscribe

You May Also Like

More Insights
Webinars
More Webinars
Events
More Events

Editor's Choice

President Donald Trump and Melania at the Washington National Cathedral January 21, 2025 in Washington, DC.
Threat Intelligence
Trump Fires Cyber Safety Board Investigating Salt Typhoon HackersTrump Fires Cyber Safety Board Investigating Salt Typhoon Hackers
byBecky Bracken, Senior Editor, Dark Reading
Jan 21, 2025
2 Min Read
The letters "AI" in blue text with binary code running over top and in the background
Threat Intelligence
Employees Enter Sensitive Data Into GenAI Prompts Far Too OftenEmployees Enter Sensitive Data Into GenAI Prompts Far Too Often
byKristina Beek, Associate Editor, Dark Reading
Jan 17, 2025
5 Min Read
Biden meeting on cybersecurity with business leaders
Threat Intelligence
Biden's Cybersecurity EO Leaves Trump a Comprehensive Blueprint for DefenseBiden's Cyber EO Leaves Trump a Strong Blueprint for Defense
byBecky Bracken, Senior Editor, Dark Reading
Jan 16, 2025
7 Min Read
Reports
More Reports
Webinars
More Webinars
White Papers
More Whitepapers
Events
More Events