In this CIONET Trailblazer episode, we dive into the evolution of the role of the CISO alongside the findings of Splunk’s 2025 CISO Report, featuring Lauren Wilson, CTO at Splunk & Strategic Advisor at Splunk. The conversation explores how the CISO has secured a seat at the board table, shifting from giving advice and advocacy to delivering measurable execution and clear accountability. We discuss why the core challenge today is moving past prevention-focused controls to build true business resilience: a critical pivot that requires organisational collaboration, new governance structures, and a fundamental change in how security leaders communicate with the board.
We sat down with the team at Splunk to discuss the key findings and what they mean for security leaders today:
What was the main goal of this study?
The primary goal of this research was to capture what’s top of mind of our customers regarding the relationship between CISOs and their boards and validate the reality security leaders face.
And what was the key finding about the relationship between CISOs and their boards?
The CISO Report highlights a critical shift in the CISO’s relationship with the board. With 83% of CISOs now participating in board meetings, they have secured their seat at the table. The focus of the role of the CISO has evolved from giving advice and advocacy to delivering measurable execution and clear accountability.
How does this report define 'digital resilience,' and does this begin with the board or with the IT team?
The report says CISOs need to 'speak board fluently': What does this mean, and how is it different from how they usually talk?
This means shifting their language and focus from technical consultancy to business execution. Many CISOs built their careers as deep technical experts, but their organisations are now asking them to become leaders of enterprise change and transformation. To speak fluently to the board, they need to present data-driven outcomes that give an objective view of security progress, using well-understood and consumable metrics that bridge security, IT, and business operations, rather than focusing solely on technical controls and processes.
If 83% of CISOs are now in board meetings, why is there such a big gap between boards saying CISOs 'meet' expectations and the very few who say they 'exceed' them?
Earning the seat is just the beginning. After gaining board-level visibility and executive sponsorship, the expectations have dramatically increased; boards now expect CISOs to "make it so" and deliver results. Nearly 79% of CISOs say their teams’ KPIs have changed substantially in recent years, reflecting this shift from giving advice to delivering execution. The expanded scope and growing expectations weigh heavily, with 53% of CISOs saying their responsibilities have become more difficult since taking the job. The difficulty of this pivot is what creates the gap between meeting and exceeding expectations.
Your data shows a big mix-up regarding how CISOs spend their time; why do boards think their security leaders are busy helping the business grow when they are actually stuck doing technical work?
The shift is challenging, and even more so to execute in organisations burdened by years of cultural and technical debt. CISOs are no longer simply defining controls but are expected to ensure they are embedded, automated, and operationalised across the organisation. While the mandate is to become leaders of enterprise change and transformation, the reality of implementing and enforcing these practices means they are still heavily involved in ensuring technical compliance. This internal friction and resistance, which can surface as persistent gaps or unsafe workarounds, keeps security leaders tethered to the operational details.
One of the most surprising findings is that 59% of CISOs would consider whistleblowing. What is happening today to make this job feel so risky for them personally?
CISOs are receiving clearer mandates and greater accountability, but they also get the "gift of increased personal responsibility" - especially when things go wrong - spanning legal, professional, and reputational impacts. This personal weight is immense. It is borne out by the shocking statistic that 21% of CISOs revealed they had been pressured not to report a compliance issue. This environment of high stakes and internal friction is what leads 59% of CISOs to say they would consider whistleblowing when practices could lead to serious harm, especially where they personally bear the consequences.
As AI becomes a normal part of the threat landscape, how can CISOs move past the fear of 'deepfakes' to show the board that AI can actually help the business stay ahead?
The key is to manage AI as a cross-domain risk that requires shared responsibility, rather than an isolated threat. CISOs should focus on establishing governance structures that ensure shared ownership of risks like AI, establish clear escalation paths, and drive joint accountability across the business. By using strategic partners as force multipliers, CISOs can demonstrate how AI can be leveraged to extend capacity and accelerate implementation of security strategies, scaling impact without scaling burnout. This frames AI in terms of business outcomes and resilience rather than purely as a source of fear.
For a CISO or CIO who wants to stop being seen as just a 'tech expert' and start being a 'business leader,' what are the three most important changes they should make right now?
The data makes it clear that changes to how organisations govern, measure, and share responsibility are essential. Three practical ways to navigate this shift are:
Splunk’s 2025 CISO report makes one thing clear: CISOs fought hard to earn their seat at the executive table. Now comes the harder work of turning visibility into execution, and execution into resilience. This shift requires a fundamental change in how organisations govern, measure, and share ownership for cyber risk across the entire enterprise.
--