As the cybersecurity function becomes increasingly integral to organizations, the CISO role continues to grow in importance, complexity, and scope of responsibilities. This evolution presents an opportunity for CISOs to expand their strategic influence with top leadership and opens up avenues for professional growth.
In this piece, we're highlighting findings and guidance from our State of the CISO, 2025 Summary Report around the changes to the CISO role and offers recommendations for CISOs navigating the challenges associated with this evolution. We offer insights into the current state of the CISO profession and the changes that are taking place in terms of remit and expectations.
This edition of the annual survey, jointly fielded with Artico Search, featured objective data from over 830 CISOs regarding roles, compensation, job satisfaction, board engagement and career development.
CISOs Strategic Influence in the Organizational Hierarchy
Approximately 39% of CISOs hold executive-level titles, including executive VP (EVP) and senior VP (SVP), which is a gradual increase from 35% two years ago. Among these executive-level CISOs, 35% at smaller organizations (with annual revenues up to $1 billion) report directly to the CEO, compared to 12% at larger enterprises (with revenues exceeding $1 billion). In contrast, just 3% of large-firm director-level CISOs report to the CEO, with more than a third separated from top executives by at least three organizational layers.
These disparities underscore significant differences in strategic influence and organizational alignment between director-level and executive-level CISOs as laid out in Figure 1.
How Often CISOs Engage with Their Boards
Currently, 47% of CISOs engage with their boards monthly or quarterly. In enterprises with annual revenues exceeding $10 billion, 65% of CISOs have at least quarterly board engagement. In contrast, smaller organizations with annual revenues under $400 million lag behind, with 37% having monthly/quarterly board engagement and 42% meeting with their boards on an ad hoc basis, if at all as shown in Figure 2.
It is clearly more common for CISOs to have Board visibility and influence at larger organizations with more developed risk governance structures and subject to regulations that require boards to oversee cybersecurity risks. CISOs at smaller, often privately held firms may need to create other opportunities to engage with board members if they don’t engage as often during formal meetings.
Three CISO Segments and Boardroom Influence
As shown in Figure 4, companies are at different stages in terms of giving their CISO greater C-level access and boardroom influence. C-level access is associated with holding an executive-level position with close organizational proximity to the CEO, and boardroom influence is tied to monthly or quarterly engagement with the full board or serving as a board subcommittee member.
By evaluating respondents along these two dimensions, we identified three distinct segments:
- Strategic CISOs (28%): These CISOs report directly to the CEO or occupy a high-ranking position in the hierarchy, and therefore hold significant influence within their organization and with top executives. They maintain regular engagement with the board, meeting at least quarterly, either in full board sessions or as members of subcommittees.
- Functional CISOs (50%): This group excels in one of the aforementioned areas—either C-suite access or boardroom influence—but lags in the other compared to peers in the Executive group.
- Tactical CISOs (22%): These CISOs have limited executive-level access due to their lower organizational rank and sporadic board engagement.
IANS Faculty member and Artico Search partner, Steve Martano elaborates on these segments:
“CISOs who successfully navigate the complexities of the C-suite and the boardroom command higher salaries. These CISOs drive more visibility by adding value on business risk conversations and decisions, are viewed on-par with other peers in the C-suite and are considered strategic business executive rather than technology leaders.”
How CISOs Can Gain C-level Access and Influence
The absence of adequate C-level access or opportunities to engage with the board can lead to frustration among CISOs and cause them to feel undervalued or constrained in their role. Drawing on insights from our experts at IANS and Artico Search, we provide a sample of actionable recommendations below to help CISOs overcome these barriers.
Tactical CISOs: “I’m not getting invited”
Recommendations: To overcome this, start by increasing your visibility within the organization at large. Volunteer for cross-functional projects and committees and help your colleagues understand how these initiatives connect to security issues.
Functional CISOs: “I don’t have time to be strategic”
Recommendations: Delegation is key to freeing up your time for strategic work. Build and organize your team with clear roles and responsibilities, equipping your leaders to take ownership of operational tasks so you can focus on broader organizational priorities.
Strategic CISOs: “I have visibility, but I’m not recognized as a true executive partner”
Recommendations: Start by reflecting on your current brand within the organization. Are you seen as a technical leader or a strategic partner on par with the CFO, chief product officer, or chief revenue officer? Shift your approach from providing technical updates to initiating more open-ended, strategic governance discussions.
CISO Compensation & Security Budget Benchmark Reports
Each year, IANS, in partnership with Artico Search, conducts a survey of CISOs across the U.S. and Canadas on CISO compensation, security budgets, key security staff compensation and job satisfaction.
The findings from this survey are published in a series of in-depth reports that feature new takeaways, uncover a wealth of insights and provide valuable leadership guidance to fine-tune your current role, budget, department and career path.
Download the State of the CISO, 2025 Summary Report - the fourth in our 2024-2025 series of reports – for additional insights and data on the evolving CISO role within the security organization.
Although reasonable efforts will be made to ensure the completeness and accuracy of the information contained in our blog posts, no liability can be accepted by IANS or our Faculty members for the results of any actions taken by individuals or firms in connection with such information, opinions, or advice.