Splunk and Oxford Economics release The CISO Report 2025
Image by r.classen / copyright Shutterstock
The CISO's rise to the C-suite comes with more engagement with the boardroom, an audience with the CEO and the power to make strategic decisions for the business. Notably, 82% of surveyed CISOs now report directly to the CEO, a significant increase from 47% in 2023. In addition, 83% of CISOs participate in board meetings somewhat often or most of the time. While 60% acknowledge that board members with cybersecurity backgrounds more heavily influence security decisions, only 29% of CISOs say their board includes at least one member with cybersecurity expertise.
Michael Fanning, Chief Information Security Officer, Splunk, said: "As cybersecurity becomes increasingly central to driving business success, CISOs and their boards have more opportunities to close gaps, gain greater alignment and better understand each other in order to drive digital resilience.
"For CISOs, that means understanding the business beyond their IT environments and finding new ways to convey the ROI of security initiatives to their boards. For board members, it means committing to a security-first culture and consulting the CISO as a primary stakeholder in decisions that impact enterprise risk and governance.
"Bringing these groups together requires educating boards on the details of cybersecurity and for CISOs to understand the language and needs of the business while also making security a business enabler."
Shefali Mookencherry, Chief Information Security and Privacy Officer, University of Illinois Chicago, said: "Leading and managing the cybersecurity and privacy programmes at a higher education institution requires strong collaboration and communication with everyone from board members to privacy leaders, staff, faculty and students to ensure security is integrated into all aspects of the organisation.
"As the role of the CISO grows more complex and critical to organisations, CISOs must be able to balance security needs with business goals, culture and articulate the value of security investments. By establishing strong relationships across various departments and stakeholders, CISOs can provide guidance and leadership to propel cybersecurity and privacy programmes."
The impact of CISO-board alignment
Board members with a CISO background report stronger relationships with security teams and feel more confident about the organisation's security posture. They are less likely than other board members to express concern they are not doing enough to protect the organisation (37% versus 62% survey average). Board respondents reported excellent or very good working relationships between the CISOs and board in the following areas:
- Setting and aligning on strategic cybersecurity goals (80% for boards with a CISO member versus 27% for boards without a CISO member)
- Communicating progress against milestones, security goal achievement and plan of record (60% for boards with a CISO member versus 16% for boards without a CISO member)
- Budgeting adequately to meet goals (50% for boards with a CISO member versus 24% for boards without a CISO member)
CISOs with healthy board relationships also tend to have better collaboration throughout the organisation, reporting particularly strong partnerships with IT operations (82% versus 69% of other CISOs) and engineering (74% versus 63% of other CISOs). CISOs with good board relationships are also more likely to be given the ability to pursue use cases for generative AI, such as creating threat detection rules (43% versus 31% of other CISOs), analysing data sources (45% versus 28% of other CISOs), incident response and forensic investigations (42% versus 29% of other CISOs) and proactive threat hunting (46% versus 28% of other CISOs).
Bridging the CISO-board divide: priorities, skills and measuring success
While CISOs and boards indicate closer alignment on security priorities, gaps still persist. The largest gaps in top priorities between CISOs and boards include:
- Innovating with emerging technologies (52% of CISOs deem it a priority versus 33% for board members)
- Upskilling or reskilling security employees (51% for CISOs versus 27% for boards)
- Contributing to revenue growth initiatives (36% for CISOs versus 24% for boards)
Boards have high expectations around CISOs building new skills to become better business leaders. However, learning new skills makes the CISO's job more complex, with 53% saying their responsibilities and job expectations have become more difficult since they took the job. When asked what skills CISOs should develop, the biggest gaps in importance include:
- Business acumen (55% for boards versus 40% for CISOs)
- Emotional intelligence (45% for boards versus 35% for CISOs)
- Communication (52% for boards versus 47% for CISOs)
- Regulation and compliance knowledge (44% for boards versus 57% for CISOs)
While boards and CISOs agree on core cybersecurity KPIs, 79% of CISOs say KPIs for their security teams have changed substantially over the recent years. Forty-six percent of CISOs said attaining security milestones was indicative of their success, compared to only 19% of board respondents.
Maintaining compliance becomes business critical
Regulatory environments have become more complex, expansive, and punitive, requiring faster incident reporting and placing more liability squarely on CISOs' shoulders. While maintaining compliance is vital to the business, only 15% of CISOs ranked compliance status as a top performance metric, a significant disconnect compared to 45% of boards. Twenty-one percent of CISOs revealed they had been pressured not to report a compliance issue, however, 59% said they would become a whistleblower if their organisation was ignoring compliance requirements.
Budget cuts have serious consequences
Cyber budgets reflect inconsistent support and misalignment, with 29% of CISOs saying they receive the proper budget for cybersecurity initiatives and accomplishing their security goals, compared to 41% of board members who think cybersecurity budgets are adequate. Sixty-four percent of CISOs reveal that the current threat and regulatory environment make them concerned they are not doing enough. Eighteen percent of CISOs revealed they were unable to support a business initiative because of budget cuts in the last 12 months and 64% said that lack of support led to a cyberattack.
CISOs also reported reduced security solutions and tools (50%), security hiring freezes (40%) and decreased or eliminated security training (36%) as top cost-saving measures. Ninety-four percent of CISOs report being victims of a disruptive cyberattack, with 55% experiencing them at least a couple of times and another 27% experiencing them many times.
The global survey was conducted in June and July 2024 in partnership with Oxford Economics. The report surveyed 600 respondents (500 CISOs, CSOs, or equivalent security leaders and 100 board members). Respondent categories included CISOs who self-identified as board members.
The survey respondents were drawn from 10 countries: Australia, France, Germany, Italy, India, Japan, New Zealand, Singapore, UK and US. They also represented 16 industries: agriculture, business services, construction/engineering, education, energy and utilities, financial services, government, healthcare, life sciences, information services, technology, manufacturing, retail, consumer goods, telecom and media and communications.
Oxford Economics also conducted eight in-depth interviews with CISOs and board members for qualitative insight.
To download The 2025 CISO Report: www.splunk.com/en_us/campaigns/ciso-report.html
