In a global study of the goals, priorities and strategies of chief information security officers (CISOs), security analytics and observability supplier Splunk and economic advisory firm Oxford Economics found that 82% of CISOs now report directly to CEOs, a dramatic increase from 47% in 2023.

The CISO report 2025 also revealed that 83% of CISOs participate in board meetings somewhat often or most of the time. However, only 29% of CISOs said their board includes at least one member with cyber security expertise.

The global study was conducted in June and July 2024 with Oxford Economics. It surveyed 600 respondents, 500 of them CISOs, CSOs, or equivalent security leaders, and 100 board members.

Respondents were drawn from 10 countries: Australia, France, Germany, Italy, India, Japan, New Zealand, Singapore, the UK, and the US. They represented 16 industries, including agriculture, financial services, government, healthcare, manufacturing and retail.

Oxford Economics also interviewed eight CISOs and board members.

Disconnect persists Despite finding increased CISO participation at the highest leadership level of companies and other organisations, the research also discovered that gaps still exist between CISOs and boards. The largest gaps included innovating with emerging technologies (52% of CISOs make it a priority, versus 33% for board members), upskilling or reskilling security employees (51% for CISOs, 27% for boards), and contributing to revenue growth initiatives (36% for CISOs, 24% for boards). Only 15% of CISOs ranked compliance status as a top performance metric – a significant difference with boards, at 45%. Some 21% of CISOs said they had been pressured not to report a compliance issue, and 59% said they would become a whistleblower if their organisation was flouting compliance requirements. Only 29% of CISOs said they receive the proper budget for cyber security initiatives and achieving their security goals, compared with 41% of board members who think cyber security budgets are just fine. Some 64% of CISOs said the current threat and regulatory environment makes them concerned they’re falling short, 18% said they had been unable to support a business initiative because of budget cuts in the prior 12 months, and 64% said lack of support had led to cyber attacks. Half of the CISOs also said cost-saving initiatives had reduced the arsenal of security tools at their disposal, led to hiring freezes (40%), and reduced or got rid of security training (36%). Almost all (94%) CISOs reported being victims of a disruptive cyber attack, with 55% experiencing them at least a couple of times and another 27% experiencing them many times.