CISOs are gaining ground in the boardroom
Chief Information Security Officers are gaining more influence within the C-suite and boardrooms: that is the conclusion of Splunk’s 2024 CISO report. Worldwide, the percentage of CISOs reporting directly to the CEO has risen from 47% in 2023 to 82% in 2024.
Strengthening connection with the board room
The rise of CISOs to the C-suite has strengthened their connection with the boardroom, given them a direct line to the CEO, and enhanced their role in strategic decision-making, the report highlights. In addition to the significant increase of CISOs reporting directly to the CEO, 83% of CISOs now also frequently participate in board meetings, the report. However, although 60% of CISOs acknowledge that board members with a cybersecurity background have a greater influence on security decisions, only 29% of CISOs report having at least one cybersecurity expert on their board.
Stronger relationships and greater confidence
And this is still a point of improvement, as there seem to be undeniable benefits to adding board members with a cybersecurity background. Board members with a CISO background have reported stronger relationships with security teams and greater confidence in the organization’s security posture. At the same time, they are less likely than other CIOs to feel they are doing too little to protect the business.
In addition, CISOs with healthy relationships with board members are more likely to benefit from greater collaboration across the organization, and report particularly strong partnerships with IT operations (82% vs. 69% of other CISOs) and engineering (74% vs. 63% of other CISOs).
CISOs with good governance relationships are also more likely to pursue use cases for generative AI, such as threat detection rule-setting (43% vs. 31% of other CISOs), data source analytics (45% vs. 28% of other CISOs), incident response and forensics (42% vs. 29% of other CISOs), and proactive threat hunting (46% vs. 28% of other CISOs).
Bridging the gap
Although CISOs and boards have reported greater alignment on security priorities, there is still room for growth, the report adds. The biggest gaps in top priorities between CISOs and boards include innovating with emerging technologies, reskilling or upskilling security staff, and contributing to revenue growth initiatives.
At the same time, the expectation of boards for CISOs to develop new business skills is adding complexity to CISO’s jobs: 53% say their responsibilities and tasks have become more difficult since taking the job. In general, the most relevant skills for CISOs to develop are business acumen, emotional intelligence, communication, and regulatory and compliance knowledge.
Navigating regulations and budget cuts
In the last couple of years, regulations have become more complex, comprehensive, and stringent. This requires faster reporting of incidents and places more accountability on the shoulders of CISOs, Splunk highlights.
While maintaining compliance is critical to business, only 15% of CISOs ranked compliance status as a top performance metric, a significant gap compared to 45% of boards. 21% of CISOs said they had been pressured to not report a compliance issue, while 59% said they would whistleblow if their organization ignored compliance requirements.
At the same time, only 29% of CISOs say they are receiving adequate budget for cybersecurity initiatives and achieving their security goals, compared to 41% of board members who believe budgets are adequate, reflecting inconsistent support and misalignment between CISOs and the board.
64% of CISOs say they are concerned they are not doing enough due to current threats and regulations, and 18% of CISOs said they were unable to support a business initiative in the past 12 months due to budget cuts. Additionally, 64% said lack of support led to a cyberattack. CISOs also reported reduced security solutions and tools, freezes on security hiring, and reduced or eliminated security training as the top cost-saving measures.
Making security a business enabler
As cybersecurity becomes more central to business success, CISOs and their boards have the responsibility ánd the opportunity to close gaps, gain alignment, and better understand each other as they drive digital resilience, Splunk’s CISO Michael Fanning says. “For CISOs, this means understanding the business outside of their IT environment and finding new ways to communicate the ROI of security initiatives to their boards. For board members, this means committing to a security-first culture and consulting the CISO as a primary stakeholder in decisions. Bringing these groups together requires educating boards on the details of cybersecurity and CISOs understanding the language and needs of the business—all while making security a business enabler.”