CISOs Are Gaining C-Suite Swagger, but Has It Come With a Cost?

After years of leaning into learning the ethos of business leadership and risk management, chief information security officers (CISOs) have gotten their seat at the boardroom table and the power to make decisions. But even so, many say their jobs are more arduous than ever, and that's not how it was supposed to happen.

A full 82% of CISOs who responded to a recent survey from Splunk said they report directly to the CEO, up from just 47% in 2023. In addition, 83% said they participate regularly in board meetings. For their part, CISOs have had to skill up in kind, honing communications skills and learning the boardroom lingo of KPIs and ROI, not to mention become more familiar with legal and compliance concerns. In other words, the scope of the CISO role has expanded far beyond just IT security.

Source: Splunk, the CISO Report 2025

It's a big change; for years, CISOs were relegated further down the org chart, receiving mandates without any opportunity to provide context to the business. They also became the ones to take the blame for major breaches, landing some in legal entanglements. And that status quo was leading to massive burnout, with the average CISO tenure standing at just two to four years in 2020. By 2023, there was widespread consensus the CISO role needed a rethink.

Related:DoJ Busts Up Another Multinational DPRK IT Worker Scam

Hence, more CISOs gaining a seat in the C-suite. And theoretically, putting a CISO in the middle of high-level decision making should help push the case for more cyber investment. But that hasn't been the experience for many, who find that board buy-in is still a challenge. In fact, only 29% of the CISO survey respondents reported they have the necessary budget to keep up with the current threat environment; in contrast, 41% of non-CISO board members said they're satisfied with cybersecurity investment levels.

In all, 53% of CISO respondents in the Splunk survey said their job has actually become "more difficult since they took the job," seat at the table or no.

CISOs With Board Buy-In Do Better

The data also points to a clear-cut solution: Boards with members with cybersecurity backgrounds make a huge difference. Board members with CISO experience work better with cybersecurity teams on setting strategy, goal setting, and critically, budgeting.

Those results mirror the experience of Jessica Sica, CISO at software company Weave. Although she says her role reports to the chief legal officer rather than the CEO, she "regularly" meets with the whole C-team, as well as the board and audit teams. But rather than bogging her down, Sica says her relationship with leadership has made her job easier. But, she adds, Weave's board is cybersecurity savvy.

Related:War Game Pits China Against Taiwan in All-Out Cyberwar

"I have a very security-conscious boss, and we have a security-concerned board," Sica says. "Having their support and voice makes it easier to get my job done."

Her experience, however, is a minority one: The survey showed only 29% of CISOs had a board with at least one cyber expert.

Progress requires CISOs to keep pushing cyber into the C-suite conversation, and boards to recognize the need to add more cybersecurity experts to their ranks, according to Michael Fanning, CISO of Splunk.

"As cybersecurity becomes increasingly central to driving business success, CISOs and their boards have more opportunities to close gaps, gain greater alignment, and better understand each other to drive digital resilience," Fanning said in a statement. "Bringing these groups together requires educating boards on the details of cybersecurity, and for CISOs to understand the language and needs of the business while also making security a business-enabler."