The Power of Partnerships Between CISOs and Their Boards

CISOs have officially arrived in the C-Suite, and it is safe to say we're working more closely with our boards than ever before. Eighty-two percent of CISOs now report directly to the CEO, up from 47% in 2023, and 83% participate in board meetings somewhat often or most of the time. Splunk's annual CISO Report deep dives into how we are getting a more prominent seat at the table and where CISOs can have more influence over budget and policy, and boards have more insight into the organization's security posture.

The good news is that we're in sync with our boards on some of the issues that matter most. We agree on the importance of protecting sensitive information and the need to hone and grow our leadership skills.

But, like any budding relationship, we're still figuring each other out. Perhaps not surprisingly, there are still a few growing pains as CISOs expand into the role of business leaders. For example, when it comes to setting strategic goals for the security program, 61% of CISOs called their relationship with the board very good to excellent, compared to only 43% of boards who characterize the relationship in such glowing terms.

But it doesn't have to be that way. This year's CISO Report illuminates some of the gaps between CISOs and their boards, as well as best practices that will help CISOs reach across the aisle and accomplish their goals while also gaining the board's trust.

Bridging the CISO-Board Divide of Priorities, Skills, and KPIs

When the relationship is built on a foundation of misaligned priorities, CISOs and boards will likely end up further apart if they continue the same trajectory.

Many current divisions can be attributed to boards and CISOs having very different backgrounds. As technologists at heart, 58% of CISOs say the bulk of time we and our teams spend goes into choosing, installing, and operating technology. In contrast, 52% of boards believe we spend our days enabling the business. And although CISOs say the impact of security incidents is the best measure of their success, boards are gauging us by the ROI of our security investments.

So, how do CISOs narrow these divides? If we want to earn the board's confidence and trust, we have to consider how our priorities, goals, and time relate to revenue and business objectives. We'll have to take it upon ourselves to educate our boards on how security metrics benefit the business. By doing so, we'll be able to articulate how our security objectives fit into the greater mission and get the resources and support we need.

Why Speaking "Board" Will Help Secure Budget

Of the most valuable skills for CISOs to develop, the ability to solicit adequate budget tops the list. Only 29% of CISOs say they receive enough funding for initiatives and goals. And we're concerned - perhaps rightly so - given how budget shortfalls affect our ability to protect our organizations. This is an opportunity to position cybersecurity initiatives as something that enables the business and drives it forward.

Boards reported that they prioritize business growth, even over improved cybersecurity posture. That means CISOs need to think beyond risk metrics and dive deeper into how a solution will benefit the broader business. It means articulating the potential or inevitable costs of not implementing a security solution or best practice. Our report details ways CISOs can better champion security budgets and reframe their efforts into ROI that lands well with their boards.

In many ways, CISOs don't have a choice. Cutbacks, even small ones, can have significant consequences. For example, 18% of CISOs revealed they were unable to support a business initiative because of budget cuts in the last 12 months, and 64% said that lack of support led to a cyber attack.

The Benefits of a Strong CISO-Board Relationship

But fret not. There is a clear pathway to success. When CISOs take the time to build strong relationships with their boards, the results can be magical. For example, CISOs who report having a good relationship with their board see many benefits vs. those who do not, including:

• Better alignment between the security team and board priorities (86% vs 59%)
• Greater ability to secure needed budget (69% vs 57%)
• Superior understanding of cybersecurity (62% vs 46%)

Like any relationship, nurturing will help it flourish. As CISOs, we need to manage up rethink approaches so we can tackle new challenges and make strides in innovation together.

Get your copy of Splunk's CISO Report to learn more about which gaps CISOs are experiencing with their boards and how they can come together and build strong relationships that reap tangible benefits.