CISOs are moving closer to the board — but budget hurdles remain

In recent years, CISOs have often felt that their board of directors did not take them seriously. This key issue for cybersecurity, however, is turning around, with 82% of CISOs now reporting directly to their CEOs, versus 47% in 2023, according to a survey by Splunk.

Splunk’s report, which surveyed 500 CISOs, CSOs, and similar security officers, as well as 100 board members, found that 83% of CISOs now attend board meetings relatively often or most of the time.

Important as well to the security of the enterprise is having someone with cybersecurity background on the board itself, as 60% of respondents acknowledged. There, however, companies have a ways to go, with only 29% of CISOs saying their companies someone with cybersecurity expertise on the board.

According to the study, board members with a CISO background have closer relationships with security teams, place more trust in the company’s security measures, and are far less likely (37%) to express concerns that not enough is being done to protect the company.

The study also shows that CISOs who have strong relationships with the board also report better collaboration throughout the company, including stronger partnerships with IT operations and engineering teams than do CISOs who do not have strong relationships with the board (74% vs. 63%).

CISOs with good relationships with the board are also more likely to have the opportunity to pursue generative AI use cases, such as creating rules for threat detection (43% vs. 31%), analyzing data sources (45% vs. 28%), incident response and forensic investigations (42% vs. 29%), or proactive threat hunting (46% vs. 28%).

Despite increased board access, disagreements remain

Even though CISOs and boards are converging on security priorities, gaps remain. The biggest discrepancies in CISOs’ and boards’ top priorities are:

• Innovation with emerging new technologies (a priority for 52% of CISOs, but only 33% of board members)
• Upskilling or reskilling of security personnel (51% of CISOs, 27% of board members)
• Contributions to revenue growth projects (36% of CISOs, 24% of board members)

Although board members and CISOs agree on the importance of key cybersecurity KPIs, 79% of CISOs surveyed stated that their security teams’ KPIs have changed significantly in recent years. Achieving security milestones is a relevant measure of success for 46% of CISOs, but only 19% of board members surveyed share this view.

Although robust compliance is crucial for the company, only 15% of CISOs cite compliance as one of the most important performance metrics — the gap between them and the board (45%) is more than clear. A fifth (21%) of CISOs claim that they have been pressured not to report a compliance problem. Against this background, however, 59% admit they would become active as a whistleblower if their company ignored compliance requirements.

Disputes over security budget

Inconsistent support and discrepancies are also reflected in cyber budgets.

Only 29% of CISOs say they have an adequate budget to implement their cybersecurity projects and achieve their security goals, while 41% of board members believe that cybersecurity budgets are appropriate.

Meanwhile, 64% of CISOs are concerned they cannot do enough given the current threat landscape and regulatory environment. Moreover, 18% of CISOs say they were unable to support a business venture in the past 12 months due to budget cuts, which resulted in a successful attack in 64% of cases.

Other key cost-cutting measures cited by CISOs include fewer security solutions and tools (50%), hiring freezes (40%), and reduced or completely suspended security training (36%).

Almost all CISOs (94%) have already been the victim of a disruptive cyberattack. The majority (55%) say they have been affected at least a few times, and another 27% say they have been in the crosshairs many times.