TREND 1
The Changing Role of the CISO from Technical Expert to Boardroom Protagonist
Tightening regulation and legislation is changing the role of the CISO, putting cybersecurity firmly on the boardroom agenda.
85% of CISOs are communicating to a wider group of stakeholders than ever before.
Security Leaders Peer Report, 2025
With the likes of the U.S Securities and Exchange Commission’s (SEC) Cybersecurity Disclosure Rules and the EU’s Digital Operational Resilience Act (DORA) holding boards personally liable for an organization’s digital and operational resilience, it has bought cybersecurity into sharper focus.
As CEO's demand detailed insights into operational cyber resilience, cybersecurity now has a permanent spot on the boardroom agenda.
This visibility is changing the role of the CISO. Results from the 2025 Security Leaders Peer Report indicate a significant proportion of security leaders feel their role has changed: three quarters (75%) believe they are more accountable, 85% claiming they must communicate with a wider range of stakeholders and 90% stating they are asked to provide more assurance on the state of controls than ever before.
Not only is there a sense of heightened accountability, but security leaders increasingly feel they are being held personally liable as well. Today, two thirds (65%) of CISOs in feel they could be ‘hung out to dry’ by their current employers in the event of a serious breach – and in 2025, 72% of security leaders claimed to have personal indemnity in place.
It’s shifted an even greater focus onto risk management, control effectiveness, and assurance – as well as the need for transparent, trusted reporting.
"All [boards] want to know is; how is that risk going to impact their business?'
Andy Piper, CISO, Barclays Investment Bank
Case study Communicating the language of the business
What I have learnt in this role particularly is the people on the board in a bank like mine are generally not particularly ‘techies’. So, a huge part of my role is to explain what is going on in the industry, or in our threat landscape, or in our control landscape in ways that they will actually understand.
There is no point me going into the board and talking about the intricacies of a new TTP. They don’t care about that, they pay me to care about that. All they want to know is; how is that going to impact their business? What risks are they taking on? So everything I do, I have to present in a manner that means something to them. That’s both in the sense of informing them about things they should know about, as much as getting them to understand priorities and ultimately, agree to pay for solutions.
Andy Piper
CISO, Barclays Investment Bank
Navigating the new norms of cybersecurity leadership
Watch the webinar
It’s why leading CISOs are championing a data-driven approach.
As boards and executive teams rely evermore on CISOs to share and communicate business risk, they become increasingly critical and more visible to an organization.
But as CISOs take on more responsibility, they find themselves facing intense pressure to provide detailed analysis and reporting - placing an immense burden on entire security teams. Almost three quarters (71%) of security leaders feel the pressure to monitor and report on controls effectiveness in 2026 is fuelling industry burnout.
TL;DR What this means for security leaders
- The CISO has become an increasingly critical and visible role in the last half decade as boards rely on CISOs to share and communicate business risk positioning and the current state of affairs.
- CISOs therefore need real-time data and dashboards they can trust, especially with more exposure and liability at the feet of CISOs than ever before.
- CCM platforms provide continuous visibility of an organization’s security posture – but data must be de-duped, normalized and enriched if CISOs (and their boards) are to trust the results.
