Cybersecurity leaders facing demands from boards to minimize cyber threats: research reveals
In the ever-evolving landscape of cybersecurity, a significant shift is underway in the way CISOs and corporate boards communicate about risk. According to the 2024 Voice of the CISO report, published by Proofpoint, 84% of CISOs now see eye-to-eye with their boards on cyber risk, a marked improvement from the previous year [2][4][5].
The report, based on a worldwide survey of 2,600 IT security leaders conducted by Sapio Research, reveals that this improved alignment is due to a more strategic focus on risks, risk appetite, and business implications, rather than just technical details [2][4][5]. Boards are seeking information in clear, business-relevant terms, while CISOs must translate complex cybersecurity metrics into strategic insights that relate to organizational risk governance.
However, ongoing tensions persist, as highlighted in the report. Boards can often feel overwhelmed by too much technical detail, jargon, and unclear priorities, complicating effective oversight. Conversely, CISOs can feel frustrated by boards’ lack of alignment on priorities, budgets, and resources, and interactions that feel more like exams than collaborative discussions [2]. These gaps can hinder trust and the quality of cybersecurity governance conversations.
To improve this dynamic, studies suggest a shared mindset of mutual support, with CISOs focusing on risk and organizational impact rather than just technical measures. Board members should also improve their cyber literacy and ask targeted, strategic questions. Cross-functional collaboration, including business units beyond IT, is crucial to foster cyber resilience as a business-wide imperative [1][2][3].
As we move into 2025, CISOs face additional pressures from increasing regulatory scrutiny and the need to demonstrate cybersecurity value in terms of business risk management and ROI. Boards demand transparency, measurable outcomes, and strategic alignment of cybersecurity investments [4][5].
The debate is particularly relevant in the U.S., where publicly traded companies are required to disclose material cybersecurity incidents within four business days and annually disclose information about their cyber risk strategies. In 2023, the Securities and Exchange Commission filed charges against SolarWinds and its top cyber risk executive for allegedly misleading investors about the company's cyber resilience [6].
Despite these improvements, the 2024 Voice of the CISO report indicates that CISOs still feel tremendous pressure to carry the weight of cyber risk on their backs. Two-thirds of CISOs are concerned about personal liability, compared with 62% in the year-ago study. More than 70% of CISOs surveyed said they would not join a company unless they had directors and officers coverage [7].
Patrick Joyce, global resident CISO at Proofpoint, acknowledges that while CISOs are enjoying closer ties with key stakeholders, this proximity also brings higher stakes, more pressure, and heightened expectations [8]. Brian Walker, CEO of the CAP Group, agrees that communications between CISOs and board directors are often misaligned but disagrees with the findings about board pressure [9].
Managing and communicating security risk remains a complex challenge, but the evolution towards a strategic partnership between CISOs and boards is a promising development. As both sides work to bridge language, priority, and knowledge gaps, they can build trust, improve governance, and enhance cyber resilience.
- In the evolving cybersecurity landscape, CISOs and boards prioritize discussing cyber risk in strategic terms, shifting focus from technical details to business implications, promoting mutual understanding.
- As technology advances and regulatory requirements increase, CISOs must demonstrate the value of cybersecurity in terms of business risk management and return on investment, while board members should enhance their cyber literacy to ask more targeted, strategic questions.
- To foster a strategic partnership between CISOs and boards, both parties need to collaborate cross-functionally, bridging language, priority, and knowledge gaps, and building trust, ultimately enhancing cyber resilience.
