Is the role of the CISO adding to the confusion?

Welcome to the CISO Perspectives Weekly Briefing, where we break down this week’s conversation, providing insights into relevant research and information to help you further understand the topics discussed.

At 550 words, this briefing is about a 4-minute read.

A CISO’s role.

Traditionally, a Chief Information Security Officer (CISO) is responsible for overseeing an organization’s various information, cyber, and technology security. While specific duties may change from organization to organization, this practice generally involves protecting assets, applications, systems, and technologies, all while advancing core business objectives.

Yet, despite the importance of a CISO’s mandate and the value it brings to an organization, CISOs have continued to struggle to make headway with other C-Suite members.

In Splunk’s 2025 CISO Report, this disconnect is still growing:

• 53% of CISOs reported their responsibilities and expectations have become more difficult.
• 79% of CISOs reported that the key performance indicators for their security teams have changed substantially over recent years.
• 21% of CISOs have been pressured not to report a compliance issue.
• 29% of CISOs reported having the necessary budget for cybersecurity initiatives and accomplishing security goals.
• A noteworthy 41% of other board members reported that CISO's budgets are adequate.

These findings point to a troubling misalignment.

Kirsty Paine, Splunk’s Field CTO and Strategic Advisor, explains the growing challenges:

“CISOs…need to switch up their tactics to be better heard, using their precious board time to justify the ROI of their security investments and elevate security to a business enabler, not just a cost center.”

A board member from a multinational banking group echoed this disconnect:

“When you go to the board to say that we have a potential cyber threat, it’s difficult to justify the investment. The usual problem that I face is with the certainty of an investment versus the likelihood of a threat which may not happen.”

This tension between risk mitigation and business justification is not new, but it is becoming more acute. Unless CISOs can adapt to how they communicate risk, return on investment, and resilience, their influence at the board level may continue to erode.

Evolving the CISO.

As the scope and complexity of cybersecurity challenges continue to grow, the traditional CISO role must evolve. Today’s CISOs are not just security guardians, they must act as strategic business partners who can communicate risks, value, and resilience in a manner that the boardroom understands.

To achieve this, CISOs need to focus on new priorities:

1. Codifying the role of the CISO. CISOs need to establish clear and more consistent definitions of their responsibilities, accounting for organizational sizes, industries, and maturity levels. This codification helps align expectations across executive leadership and foster more consistent collaboration. 
2. Shift communication to emphasize return on investment. CISOs need to tailor their messaging to highlight business impact. Numerous factors are outside of a CISO’s control. However, by translating technical metrics into business outcomes, leveraging risk quantification, and presenting initiatives in terms of return on investment, CISOs can gain the support of their board members to help execute rather than hinder their strategy.
3. Investing in strategic and leadership skills. Developing soft business skills should be as much of a priority for CISOs as technical ones. Being able to develop talent, peer engagement, and create meaningful strategies is critical to improving influence and trust with other business leaders.

No CISO can prevent every breach, but by reframing their role as a driver of strategic resilience rather than as a security solution, they can regain the influence and credibility of other key leaders.