Nearly half (47%) of global CISOs now report to their CEO, and the vast majority (78%) are backed by a board-level cybersecurity committee, signalling the growing influence of cyber risk management in organizations.
The findings come from Splunk’s 2023 CISO Report, which was compiled from a survey of 350 CISOs and other security leaders in 10 countries, plus separate in-depth qualitative interviews with 20 CISOs.
It revealed that CISOs are more likely to report to the CEO in Europe (54%) than America (41%), which Splunk assigns to CEOs being held personally liable for security in the region. However, recently published SEC rules in the US are also likely to make boards more accountable for breaches and incidents.
That could be why 88% of respondents said that their board is making a “concerted effort” to educate itself on cybersecurity. However, 84% of CISOs said that their board still equates strong security with regulatory compliance rather than best practices, which signals that their focus may still be slightly off.
Read more on CISO-board collaboration: UK Security Chief: CEOs Must Get Closer to Their CISOs
That said, Splunk argued that CISOs are slowly getting the ear of the C-suite.
A quarter (26%) of respondents said they share the results of security testing to illustrate where boards need to intervene, and a similar share (27%) said they prioritize reporting the ROI of security investments. By showing where interventions have already helped, the idea is to gain buy-in for future investments.
This appears to be working: 93% of respondents said they expect security spend to increase significantly (34%) or somewhat (59%) over the coming year.
That’s not to say that macroeconomic headwinds aren’t impacting the security function though. The report also revealed that:
- 80% of respondents have noticed an uptick in threats coinciding with the declining economy
- 85% are worried about the impact of macroeconomic uncertainty on their function
- A third (31%) said that projects have been delayed or eliminated due to a lack of funding
- Just 35% said their board allocates adequate funding for cybersecurity
Most (88%) respondents said they want to address tool sprawl and complexity in security analytics and operations. This can help organizations to save money on unnecessary extra licensing costs, make life easier for stretched security teams, and improve threat detection and response.