CISOs, Boards, CIOs: Not dancing Tango. But Boxing.

In a recent study, it was revealed that while CISOs are looking at risks, compliance and threat-gravity from their telescopes, Boards still want to look at it all from their keyholes of cyber-literacy, downtime, and business metrics. 52% of CISOs prioritise innovating with emerging technologies; just 33% of boards agree it’s a priority. Boards are more receptive when CISOs position cybersecurity as essential to business continuity and shareholder value, but CISOs still stammer in that lingo. And 28 per cent of CISOs have felt pressured not to disclose compliance issues. These numbers give enough hints of the domestic battles happening inside enterprises, but Prashant Chaudhary, Area Vice President, Splunk India, helps us comb through these findings with a finer fork.

What are the areas of conflict of misalignment between CISOs and their boards that came up in the recent Splunk CISO Report 2025?

This report reveals that there are many areas of misalignment between CISOs and their boards, even as their interactions become more frequent and reporting lines improve.

While 82 per cent of CISOs now report directly to the CEO (up from 47 per cent in 2023), boards remain unconvinced of their effectiveness. Only eight per cent of board members believe CISOs exceed expectations, despite 84 per cent acknowledging they meet expectations. CISOs overestimate alignment on core responsibilities like budgeting and strategic cybersecurity

goals, while boards demand clearer ties to business outcomes.

Another area of tension is around compliance and risk. Boards tend to view regulatory compliance as a critical metric for CISO performance, whereas most security leaders view it as low impact compared to security posture and risk mitigation. This disconnect is stark in APAC, where 28 per cent of CISOs have felt pressured not to disclose compliance issues—the highest among the regions surveyed.

Are there any areas where they shake hands?

The study also uncovered promising areas of common ground. Both CISOs and boards agree on the importance of protecting sensitive data and recognise the potential of AI, albeit with caution. There’s shared concern about AI’s role in boosting sophisticated attacks, but also optimism regarding its use in threat detection and automation. Boards are more receptive when CISOs position cybersecurity as essential to business continuity and shareholder value. This insight is particularly crucial for Indian enterprises looking to scale securely in a digital-first economy.

Any special highlights you saw in terms of verticals or business-size variations?

Vertical-specific findings offer further nuance. The manufacturing sector reports the lowest levels of board support and cyber maturity. Only 20 per cent of manufacturing CISOs feel they have adequate budgets, despite facing the highest volume of attacks. In contrast, the financial services sector, critical for India’s fintech ecosystem, shows stronger alignment, with 55 per cent of boards prioritising cybersecurity investments.

The manufacturing sector reports the lowest levels of board support and cyber maturity. Only 20 % of manufacturing CISOs feel they have adequate budgets, despite facing the highest volume of attacks.

The overarching takeaway is clear—digital resilience starts in the boardroom. For India Inc., where digital infrastructure is foundational, bridging the CISO-board gap is both a security and an economic imperative. As cyber risk becomes a business risk, organisations need CISOs who can articulate security’s role in growth, and boards willing to treat cybersecurity as a strategic capital. This mindset shift is essential as we balance compliance with innovation and navigate the opportunities and threats of the AI era, charting the course for a digitally resilient India.

With over 80 per cent of CISOs getting interaction and engagement with CEOs, how has security changed—in terms of investments, attention and strategic value?

Our report shows that this greater interaction is helping to narrow the gap between CISOs and boards when it comes to top security priorities. Notably, 70 per cent of boards and 68 per cent of CISOs now agree that protecting sensitive company information is critical.

This means that security is increasingly viewed as a driver of digital trust, operational resilience, and shareholder value. Boards are expecting CISOs to play a key role in revenue protection and risk-informed innovation, especially in sectors like financial services, where cyber risk directly impacts customer confidence and market reputation. In India’s fast-growing digital economy, this shift empowers security leaders to influence not just infrastructure decisions, but the strategic direction of how businesses build, scale, and protect their digital assets. Direct CEO engagement is making cybersecurity more central to business strategy, investment, and growth.

Does the CISO-CXO-Board relationship affect security budgets in a big way? How?

Only 29 per cent of CISOs believe they receive adequate cybersecurity funding, versus 41 per cent of board members who think budgets are sufficient. This misalignment affects security outcomes, with 52 per cent of CISOs postponing critical updates due to budget constraints, and 62 per cent of those organisations subsequently experiencing breaches.

Only 29 % of CISOs believe they receive adequate cybersecurity funding versus 41 % of board members who think budgets are sufficient.

What’s the solution to bridge this gap?

Communication style significantly impacts funding success. While the majority of boards find ‘security as a business enabler’ most convincing for budget increases, less than half of CISOs frame requests this way.

CISOs who ‘speak board’ secure better funding.

Therefore, CISOs who ‘speak board’ – emphasising ROI, business growth impact, and quantifying downtime costs – secure better funding. This communication skill is becoming essential as cybersecurity increasingly affects core business outcomes, with boards prioritising investments that demonstrate tangible business value rather than just technical security capabilities.

Do CXOs align well with CISOs in areas like deep-fake training, ransomware response, cybersecurity insurance, data sovereignty and compliance approaches?

When it comes to these complex cybersecurity subjects, the alignment between CXOs and CISOs is uneven and still maturing. Our findings show that while 53 per cent of CISOs believe AI gives attackers an advantage (down from 70 per cent in 2023), boards are yet to fully grasp the urgency. The data shows misalignment in several areas – 57 per cent of CISOs cite highly realistic phishing and deepfakes as their top AI-driven concern, yet investment in defensive capabilities lags. Ransomware remains a critical concern in financial services, where 65 per cent of organisations experienced attacks (vs. 48 per cent across all industries). On compliance, the disconnect is stark. 45 per cent of boards rank regulatory compliance as a top success metric, but only 15 per cent of CISOs agree.

Effective governance frameworks also show regional disparities, with only 40 per cent of APAC organisations establishing clear incident protocols, which is behind the rest of the world. Organisations with boards that include cybersecurity expertise demonstrate better alignment, with 80 per cent rating their strategic goal alignment as excellent compared to 27 per cent of organisations without such expertise.

As boards become more cyber-literate, alignment on these complex challenges will improve, but significant gaps remain that require CISOs to continue serving as educators and strategic advisers.

When does compliance reporting cross the whistleblower doorstep? Do CISOs accentuate it? Why do 15 per cent put it as a top performance metric vs. 45 per cent of Boards?

Indeed, there is a troubling reality where compliance reporting often approaches the whistleblower threshold. 21 per cent of CISOs admitted that they have been pressured not to report compliance issues, and this figure is even higher in APAC. Strikingly, the majority of CISOs said they would become whistleblowers if their organisations ignored regulatory requirements, emphasising the personal liability they shoulder as regulations become more punitive and reporting windows narrow.

Most CISOs said they would become whistleblowers if their organisations ignored regulatory requirements

The gap between how CISOs and boards view compliance metrics (15 per cent vs. 45 per cent) reflects fundamentally different perspectives on security. While boards see compliance as a concrete, measurable risk mitigation strategy and governance framework, CISOs view it as just the starting point for true security.

In India’s evolving digital landscape, this tension has become significant as new regulations like the DPDP Act introduce stricter compliance requirements. Organisations with better CISO-board relationships will be able to navigate this challenge more effectively.

Why do only eight of the board members feel that CISOs exceed expectations? What are the gaps or conflicts here?

This stems from fundamental misalignment in how success is defined and measured. While CISOs consistently rate their board relationships more positively than boards do, it is not translating to exceptional performance in boards’ eyes.

Why?

The core disconnect lies in how each group prioritises responsibilities and measures success. 58 per cent of CISOs spend most of their time on technical security operations—choosing, installing, and operating technology—while 52 per cent of boards believe CISOs should primarily focus on enabling the business and aligning security with business objectives. This creates an expectation gap, particularly regarding business impact.

To close this gap, CISOs need to evolve beyond technical proficiency toward business leadership. Boards want CISOs to develop business acumen, while CISOs focus more on technical collaboration. Organisations with the strongest CISO-board relationships demonstrate that when CISOs embrace a business-oriented perspective, they become strategic partners rather than technical specialists, significantly increasing their perceived value.

Any interpretation of why the ROI of security investments is measured differently between these two roles: 42 per cent for CISOs and 54 per cent for Boards? How can CISOs quantify security risks and ROI when prevention is the key goal and when security slows down things, adding some necessary friction?

This disparity stems from fundamentally different perspectives on value. While boards primarily evaluate security through financial metrics and business outcomes, CISOs tend to measure success through operational metrics like incident impact and security milestone attainment. This creates a significant communication gap when justifying investments that can be perceived as hurdles to speed and innovation.

Successful CEOs are learning to translate security value into board language. When presenting budget requests, 64 per cent of boards find positioning security as a business enabler most convincing, yet only 43 per cent of CISOs use this approach. There is an opportunity here for CISOs to change the narrative by translating preventive measures into tangible business language. 53 per cent of CISOs with strong board relationships can create effective plans of record for security initiatives (vs. 37 per cent without such relationships), largely because they frame security in business terms.

Any areas of conflict that we should reckon on the CISO-CIO side as well?

The leadership dynamic between CISOs and CIOs may experience significant friction despite sharing the common goal of defending digital infrastructure and enabling growth. Key reasons for tension include data sprawl across complex environments, budget and ownership silos, and the rapidly evolving threat landscape.

With workloads distributed across sprawling, hybrid, and multi-cloud environments, data from disparate systems often results in neither security nor infrastructure teams having full, real-time visibility across the entire landscape. This in turn leads to delays in threat detection, confusion over where risks truly reside, and often conflicting assessments of priorities.

Also, CISOs often lack control over the infrastructure they are tasked with securing, while CIOs are expected to deliver innovation on lean budgets. This leads to mismatched priorities. CISOs seek resilience and risk reduction, whereas CIOs are incentivised to chase performance, uptime, and speed.

Does AI make things worse or better here?

The surge in AI usage is both a weapon and a shield. CIOs are eager to deploy AI to optimise operations, while CISOs are cautious about prompt injection risks, LLM exposure, and shadow AI deployments. This creates a natural push-pull dynamic between agility and caution, especially relevant in India’s critical infrastructure sectors like payments and utilities.

The antidote lies not just in fine-tuning processes but in establishing shared visibility and collaboration through unified observability platforms that provide both teams with a single source of truth. When both SecOps and ITOps operate within a unified platform, they gain shared visibility across the entire environment, enabling real-time collaboration on incident response, threat triage, and performance degradation. This eliminates redundant alerts, false positives, and gaps caused by siloed systems.

pratimah@cybermedia.co.in