Board-imposed stress on CISOs to lessen emphasize on cyber threats: research

Board-imposed stress on CISOs to lessen emphasize on cyber threats: research

In the dynamic world of cybersecurity, the relationship between Chief Information Security Officers (CISOs) and corporate boards is undergoing a significant transformation. According to Patrick Joyce, global resident CISO at Proofpoint, this closer proximity brings higher stakes, more pressure, and heightened expectations.

However, not all agree with Joyce's assessment about board pressure. Brian Walker, CEO of the CAP Group, disagrees with the findings but acknowledges that communication between CISOs and board directors is often misaligned.

This misalignment is particularly evident in the current state of communication and pressure between CISOs and corporate boards. The relationship is characterised by increasing scrutiny, evolving expectations, and a critical need for CISOs to translate technical cyber risks into business-relevant terms. Boards are demanding clearer explanations of cybersecurity investment impacts, emphasising cyber resilience over mere prevention, and focusing on how cybersecurity aligns with overall business risk and continuity.

Several key trends define this dynamic in 2025. Firstly, boards are increasingly viewing cybersecurity as a top business risk. This heightened concern is driven by rising breach costs, geopolitical tensions, and stricter regulation. Boards now expect comprehensive oversight and accountability for cyber risk management integrated into corporate strategy.

Secondly, regulatory and governance demands are intensifying board involvement. For instance, the U.S. Securities and Exchange Commission (SEC) has proposed rules urging boards to disclose members’ cybersecurity expertise, reflecting broader regulatory expectations for board-level cyber governance. UK guidance (DSIT Cyber Governance Code) highlights that boards and CEOs can no longer delegate cybersecurity solely to CISOs; they must own risk decisions directly.

Thirdly, communication challenges persist for CISOs. Despite their technical backgrounds, CISOs must communicate with boards focused on financial impacts, risk ROI, and strategic value rather than technical jargon. Effective communication involves framing cybersecurity as a business resilience and risk management issue rather than just compliance or technical controls.

Fourthly, cyber resilience and business continuity are boardroom priorities. The metric "Mean Time for Clean Recovery" signals a shift towards valuing recovery capabilities and cyber resilience over pure prevention. Boards want assurance that cyber investments protect revenue, operations, and brand reputation during and after incidents.

Fifthly, there is pressure to justify cyber budgets and demonstrate ROI. Many board members admit limited understanding of cyber risk drivers; thus, CISOs must secure budget by linking cybersecurity investments directly to business outcomes and risk reduction instead of technical checklists.

Lastly, the strategic role of CISOs is evolving. CISOs are becoming strategic business leaders who integrate AI strategy, supply chain security, identity hygiene, and meaningful communication into their portfolio, responding to complex and expanding cyber risk landscapes.

Despite the improved alignment, CISOs still feel tremendous pressure. According to the report, 66% of them are faced with excessive expectations, compared to 61% in the previous year. The survey, conducted by Sapio Research, based on responses from 2,600 IT security leaders worldwide, also finds that 43% of security leaders feel they are seen as nagging or repetitive, and 42% feel they are seen as overly negative about cyber risk.

The ongoing tension between C-suite executives, investors, and security operations over managing and communicating security risk is particularly relevant in the U.S., as publicly traded companies are required by the Securities and Exchange Commission (SEC) to disclose material cybersecurity incidents within four business days.

In conclusion, the communication and pressure between CISOs and boards in 2025 involve a shift from purely technical discussions to strategic dialogues centered on cyber risk as an enterprise-wide business challenge. Boards are more engaged and demanding clearer, business-aligned risk insights, while CISOs are adapting their roles to meet these expectations through improved communication, governance participation, and resilience planning.

References:

[1] Proofpoint (2024). The 2024 Voice of the CISO report. [2] Trend Micro (2023). A study commissioned by Trend Micro. [3] SEC (2023). Press Release: SEC charges SolarWinds and top cyber risk executive for allegedly misleading investors about the company’s cyber resilience. [4] UK Government (2022). DSIT Cyber Governance Code.

1. In the dynamic business environment of 2025, cybersecurity has become a top priority for corporate boards, as they view it as a significant business risk due to rising breach costs, geopolitical tensions, and stricter regulation.
2. Boards now expect comprehensive oversight and accountability for cyber risk management to be integrated into corporate strategy, and they demand clear, business-relevant explanations of cybersecurity investments' impacts.
3. CISOs are facing increased pressure to communicate effectively with boards, focusing on financial implications, risk return on investment, and strategic value, rather than technical jargon.
4. Recovery capabilities and cyber resilience are critical boardroom priorities, with the metric "Mean Time for Clean Recovery" emphasizing the importance of protecting revenue, operations, and brand reputation during and after incidents.

Read also: