Full Report
Splunk reveals that 82% of CISOs now report directly to the CEO, but many lack EQ
Analysis Summary
# Industry News: CISOs Elevate Board Influence While Battling Soft Skill Gaps and Budget Discrepancies
## Summary
Research by Splunk indicates that CISOs have significantly increased their direct reporting line to the CEO (up to 82%, from 47% in 2023) and are frequently involved in board meetings. However, this increased influence is tempered by a perceived deficit in essential business acumen, emotional intelligence, and communication skills, according to board members. Furthermore, significant misalignment persists regarding cybersecurity funding, with boards often perceiving budgets as more adequate than security leaders do.
## Key Details
- Date: January 23, 2025 (Publication Date)
- Companies Involved: Splunk (Conducted the research, involving 500 CISOs and 100 board members globally)
- Category: Industry Research/Survey Findings
## The Story
Splunk's "The CISO Report 2025" reveals a major shift in organizational structure, where 82% of CISOs now report directly to the CEO, signaling elevated strategic importance. While working relationships concerning strategic goal alignment are generally positive, a crucial gap exists in perceived competence outside of core technical security. Board members identified deficits in business acumen, emotional intelligence, and communication skills in their security leaders more frequently than the CISOs identified these gaps in themselves. Compounding this, the perception of budget security is flawed: 41% of board members believe the security function is adequately funded, whereas only 29% of CISOs agree. This funding gap is linked to real consequences, as 18% of CISOs reported inability to support business initiatives due to budget cuts, leading to attacks in 64% of those incidents. The report urges education on both sides—CISOs teaching ROI and business context, and boards fostering a security-first culture.
## Business Impact
### For the Companies Involved
- **CISOs:** Face a mandate to rapidly upskill in non-technical domains (business strategy, interpersonal skills) to match their increased organizational authority. Failure to adapt risks limiting their strategic input despite their high visibility.
- **Boards/CEOs:** Benefit from closer alignment on risk but must recognize and strategically invest in CISO development programs to ensure security narratives translate effectively into business value.
### For Competitors
- Organizations where CISOs successfully bridge the business/technical perception gap will likely enjoy smoother budgetary approvals and faster execution of critical security roadmaps compared to peers whose security leaders struggle with executive communication.
### For Customers
- Customers stand to benefit from better-resourced security functions, as high-level alignment between the CISO and the board should reduce the likelihood of missed security investments leading to service disruptions or data breaches.
### For the Market
- This data confirms the ongoing maturation of the cybersecurity function from a purely technical cost center to an essential business risk management discipline. Executive search firms and training providers focusing on security leadership development will see increased demand for non-technical cyber training.
## Technical Implications
The article focuses primarily on organizational dynamics, but the technical implication is that security architecture decisions risk being poorly prioritized or inadequately funded upstream if CISOs cannot effectively translate technical needs into compelling financial or operational risk arguments (ROI).
## Strategic Analysis
- **Market Positioning:** The CISO role is clearly shifting toward a business executive function rather than merely a specialized IT leadership track. Companies that view security as a business enabler, led by a well-rounded CISO, will gain a competitive edge in risk management maturity.
- **Competitive Advantage:** The ability to secure adequate budget—especially when competing against revenue-generating priorities—is a direct competitive advantage gained through superior communication and business narrative skills.
- **Challenges:** The primary challenge is the speed of required cultural and skill transformation. Boards need cybersecurity literacy, and CISOs need executive presence and business fluency, both demanding focused organizational effort.
## Industry Reactions
- **Analyst Opinions:** Analysts likely view the findings as validation of ongoing observations that technical prowess alone is insufficient at the C-suite level. The budget disagreement highlights traditional friction points where security often loses out without strong executive sponsorship linked to tangible business risk.
- **Expert Commentary:** Experts, like Splunk's CISO Michael Fanning, emphasize the need for mutual education—CISOs must speak the language of the business, and boards must adopt a security-first mindset.
- **Market Response:** Increased scrutiny on CISO hiring criteria and mandatory executive coaching post-hire is expected.
## Future Outlook
- **Predictions and Expectations:** We can expect training and certification bodies to rapidly adjust offerings to emphasize business strategy, governance, and soft skills for security leaders. Furthermore, future research will likely track how effectively CISOs are closing these identified skill gaps and whether budget parity between CISO and board perception is achieved.
- **What to watch for:** Evidence of formal "business integration training" programs specifically targeted at the CISO community.
## For Security Professionals
This research serves as a critical roadmap: technical expertise is the baseline, but career progression into the most influential security roles now requires demonstrable proficiency in communication, emotional intelligence, and deep business acumen. Professionals must actively seek opportunities to engage outside the security domain to effectively advocate for resources and strategic alignment.