Security Staff Acquisition & Development, Training, Leadership

5 ways corporate boards can support CISOs in 2025

Editorial-style stock photo of a Chief Information Security Officer (CISO) using negative space photography techniques. The setting is a modern office environment, with the CISO positioned off-center to create negative space. The composition is carefully framed to highlight the CISO's authoritative presence and the surrounding empty space, symbolizing the need for security and protection in digital landscapes. The background features elements of the office, such as computers, monitors, and security-related visuals, adding context to the CISO's role. The lighting is subtle yet impactful, drawing attention to the CISO while emphasizing the importance of cybersecurity. The mood is professional and vigilant, conveying the CISO's dedication to safeguarding sensitive information and digital assets. --ar 7:4 --v 6 Job ID: f89a8dfb-ebea-4c46-ad40-7b415579d10a

(Adobe Stock)

COMMENTARY: The CISO role has evolved significantly in recent years, transitioning from a technical position to a crucial business leadership role that helps organizations reduce not just cyber risk, but overall business risk.

The industry can’t achieve one without the other.

A cyberattack can cost thousands, if not millions, in financial damages, disrupt operations, and severely damage a company's brand and reputation. This can set an organization back for years, with effects felt long after resolution. As a result, the CISO’s role has become multifaceted, charged with both protecting a company and helping it make good business and product decisions based on a complex risk profile.

[SC Media Perspectives columns are written by a trusted community of SC Media cybersecurity subject matter experts. Read more Perspectives here.]

Today’s CISO responsibilities include managing technology risks, as well as financial and operational risks, navigating an ever-growing regulatory set of demands, and overseeing an exponentially expanding attack surface. Furthermore, as cyber threats become more complex and cybersecurity becomes a board-level concern, CISOs face increased accountability, including personal liability for security failures. Notable cases, like the SEC charging SolarWinds and its CISO Timothy Brown for misleading cybersecurity disclosures and Uber’s CISO Joseph Sullivan being convicted for a 2016 data breach, highlight the growing risks. These incidents contribute to what already is a stress-inducing position with rapid turnover: The average CISO tenure is only 18 to 26 months—well below the general C-suite tenure of 4.9 years.

As these challenges continue, boards must empower CISOs so they can make critical decisions, allocate resources effectively, and influence business strategy. This means giving them the authority, support, and access they need to act swiftly, drive change, and shape the organization’s cybersecurity approach, ensuring they can prevent, rather than just react to, emerging threats.

According to a recent report, 82% of CISOs now report directly to CEOs, a dramatic increase from 47% in 2023. Despite this increase in C-suite collaboration, significant gaps remain between CISOs and the boardroom. Many CISOs still struggle with limited access and influence at the leadership level, making it difficult to effectively communicate and secure the resources needed to protect their organizations.  Conversely, boards often lack the expertise or advisory role that can align to the CISO’s broad set of responsibilities and unique risks.

At the same time, the threat landscape has become more complex as cybercriminals leverage AI to introduce new attack vectors and outpace traditional defenses. Last year, organizations saw an uptick in AI-enabled phishing attacks, and deepfakes were involved in nearly 20% of synthetic identity fraud cases. These incidents highlight the immense pressure on CISOs, who are expected to secure their organizations, and also predict, prevent, and react to threats that are evolving faster than ever. Because of these pressures, 1 in 4 CISOs are considering leaving the profession. This problem will only persist with sophisticated AI-driven attacks, increased exploitation of vulnerabilities, and growing nation-state attacks expected to dominate the threat landscape in 2025.

How CISOs and the boardroom can align

If CISOs are held accountable for breaches, companies must also empower them with decision-making authority, direct access to leadership, and the necessary resources to execute their security strategy.  Organizations need to start thinking of CISOs as peers to all other C-level executives, with an equal seat at the table. Otherwise, organizations remain vulnerable to breaches that can cause financial losses, reputational damage, and other consequences.

Here are five actions boards should take to strengthen cybersecurity leadership and reduce risk:

  • Ensure direct, unfiltered access to leadership: The CISO must have a solid – not dotted – reporting line to the board. While it’s not always practical to have direct board reporting in every organization, CISOs must have a clear, independent channel to communicate risks without being filtered through other executives.
  • Appoint a board-level CISO advocate: In addition to having direct, unfiltered access to the board, every CISO should have a dedicated “best friend” on the board who meets with them regularly, understands their challenges, and helps advocate on their behalf in boardroom meetings. This board advocate should meet with the CISO monthly, at a minimum, ideally co-chairing the CISO steering committee to ensure security priorities align with the overall business strategy. This model helps to ensure the CISO's concerns are reflected on an ongoing basis.
  • Grant CISOs true authority: Don’t bury CISOs under IT leadership. They must have ownership of the security function. Boards must clearly define and uphold the CISO’s decision-making authority, empowering them to say, “No, we won’t do X because it’s a risk,” without fear of pushback or retaliation. The CISO must have management-level authority over the information risk and cybersecurity activities, have the ability to mandate minimum security controls for business applications, as well as the ability to “veto” or at least hold risky activities that violate the board and management risk appetites. Management should see the CISO as their chief counsel on information and cyber risk and treat them in the same manner as they would a chief legal officer.
  • Ensure cybersecurity across business operations: CISOs must have a role in cybersecurity programs across all business functions. It’s no longer just a technology function. We need to extend the same best practices CISOs have successfully implemented in technology across the enterprise. CISOs need oversight over all critical business processes where risk exists. When we talk about privileged access and identity security, CISOs need the authority to enforce controls across both business and IT teams. This means not only securing traditional IT environments, but also ensuring that high-risk business users such as finance teams, executives, and those managing sensitive transactions operate under strong security measures and are held to the same security standards.
  • Restack the security budget: Outdated IT budget benchmarks should not limit cybersecurity spending. As such, organizations must understand the risks they are up against today and how they may impact the business. Only then can they reassess where their crown jewels are and restack their security budget to best address where gaps may lie. However, companies just can’t leave this to the CISO; they must up-level them to the boardroom. From there, boards and CISOs need to reassess what needs protection and allocate the necessary people, resources, and budget accordingly.

    • When it comes down to it, every CEO and Chairman should want their CISO in the boardroom, not just to present a few metrics, but to participate and truly educate the management and board on the risks facing the enterprise. Few executives have areas of responsibility as broad as that of a CISO, and very few roles can have a more sudden, unforeseen, and potentially adverse impact on the business.

    No longer can we layer CISOs under other functions, or relegate the CISO to presenting a few obscure metrics no one understands. CISOs are expected to shoulder this level of responsibility and boards and CEOs must empower them with the authority, access, and resources needed to succeed and perform the function.

    By taking these five steps, organizations can reduce turnover and CISO burnout, and also build a stronger, more resilient security posture. Empowering the CISO has become more than just a best practice: it’s a business imperative for 2025 and beyond.

    John Paul Cunningham, chief information security officer, Silverfort

    SC Media Perspectives columns are written by a trusted community of SC Media cybersecurity subject matter experts. Each contribution has a goal of bringing a unique voice to important cybersecurity topics. Content strives to be of the highest quality, objective and non-commercial.

    Related

    Related Events

    Get daily email updates

    SC Media's daily must-read of the most current and pressing daily news

    By clicking the Subscribe button below, you agree to SC Media Terms of Use and Privacy Policy.

    You can skip this ad in 5 seconds