Over a fifth of CISOs have been pressured not to report a compliance issue, according to new research. As they take on greater responsibility in the boardroom, they also face increasing accountability for security incidents, making them more vulnerable to executive pressure when compliance risks arise.
The report, published by data management platform Splunk, also found that 59% of CISOs would be willing to become a whistleblower if their company ignored compliance requirements. However, the fact that some feel compelled to take such drastic measures highlights a deeper issue — a communication breakdown between CISOs and corporate boards.
The disconnect is often rooted in lack of awareness among executives regarding the complexity and time required to maintain compliance. Board members may underestimate the security team’s workload and, when faced with delays or challenges, may encourage CISOs to downplay or withhold issues instead of reporting them.
“While boards know compliance is important, many may not fully realize or understand the work required to achieve it,” said Kirsty Paine, field CTO and strategic advisor for Splunk, in The CISO Report.
“With a lack of day-to-day insight, it’s not surprising that board members think it should be ‘easy’ or are confused when CISOs and their teams take excessive amounts of time to achieve and sustain a strong compliance posture.”
Splunk’s research surveyed 500 security leaders, including CISOs, and 100 board members across 16 industries worldwide to examine how cybersecurity decision-makers and executive teams interact. The findings reveal a growing presence of CISOs in corporate leadership, but also persistent challenges in aligning security with business priorities.
CISOs are being brought into the boardroom as cyber threats become a bigger risk, but face growing challenges
As cyber threats continue to rise, CISOs are being given an increasing amount of responsibility. The report found that 82% now report directly to the CEO, up from 47% in 2023, and 83% attend board meetings regularly. However, this increased presence has not translated into better alignment between security teams and executives.
The study revealed that 94% of CISOs have experienced a disruptive cyberattack, with 55% reporting multiple incidents and 27% facing repeated breaches. Despite these threats, CISOs and board members remain divided on key priorities, budgeting, and strategic focus.
SEE: Global Cyber Attacks to Double from 2020 to 2024, Report Finds
Despite CISOs being entrusted with strategic decision making, the Splunk report highlighted some clear areas of misalignment between them and the rest of the board.
For instance, 52% of boards think CISOs spend most of their time aligning their security efforts with business objectives, but only 34% of CISOs said this was the case.In reality, the bulk of their work involves choosing, installing, and operating technology, according to 57% of CISOs.
CISOs also have different priorities to the rest of the board. More than half, or 52%, prioritise innovating with emerging technologies, while only 33% of boards agree. A similar percentage, 51%, also ranked upskilling and reskilling security employees as important, but only 27% of boards shared that view.
When it comes to compliance, only 15% of CISOs ranked it as a top performance metric, likely because many see it as a checkbox exercise that results in only baseline levels of security. However, 45% of boards appreciate it as an important metric.
CISOs believe they are good at communicating, but evidence suggests otherwise
The Splunk report shows that CISOs feel they communicate well with the rest of the board, leading to their alignment on key issues. However, they may be overrating their relationship. A total of 61% of CISOs feel they align on strategic security goals, compared to 43% of the board members. When it comes to communicating the progress of security milestones, 44% of CISOs rate their ability highly, but just 29% of board members agree.
Such miscommunications are having real consequences on business operations. For instance, only 29% of CISOs report having the proper budget for cybersecurity initiatives and goals, compared to 41% of board members. This insufficient investment is leaving organisations vulnerable to cyberattacks. A total of 62% of CISOs who postponed their technology upgrades to cut costs said it resulted in a successful breach or attack.
CISOs need to improve their communication with boards by focusing on the numbers
To prevent cyber attacks and compliance misalignment, security leaders must refine their approach when engaging with board members.
“Many boards state that they prioritize business growth (44%) over strengthening the cybersecurity program (24%), which means they’re inclined to back cybersecurity initiatives that provide the most value to shareholders and the organization,” the report’s authors wrote.
Indeed, 64% of boards say presenting security as a business enabler is the most effective way to increase budgets, but only 43% of CISOs approach the topic that way. Just under half, or 46% of boards say that presenting costs such as downtime and potential fines is the most convincing argument in budget discussions.
SEE: Downtime Costs World’s Largest Companies $400 Billion a Year
The onus is not just on CISOs. Board members must consult the CISO as a primary stakeholder in decisions that impact enterprise risk and governance, the report’s authors said.
“Despite the gaps, they share a duty to safeguard the company. Boards protect profitability and stock price; CISOs protect data and systems. This is something to build on. But it will take communication, understanding, and a generous dose of patience to come together,” they wrote.
