Four ways CISOs can strengthen their influence in the boardroom

Cybersecurity is a top business priority — yet chief information security officers (CISOs) and board members still struggle to meet eye to eye. While both recognise that cyber risk is business risk, they often view the problem and solutions through different lenses.

According to Splunk’s CISO Report 2025, 83% of CISOs globally have a seat in the boardroom, showing progress of their influence in business matters. However, only 29% of them report that their board includes at least one member with cybersecurity expertise. This suggests that while boards are paying more attention to cybersecurity, many lack deep technical knowledge to fully grasp the complexity of today’s cyber risks.

This disconnect can affect digital resilience or the ability of a business to anticipate, withstand, recover from, and adapt to cyberthreats. Boards typically prioritise financial risk, regulatory compliance and shareholder confidence, while CISOs focus on security controls, operational resilience and incident response. Without a collective understanding, cybersecurity efforts may be underfunded, under-prioritised or only addressed after an incident occurs.

To build digital resilience, CISOs need to bridge this gap and ensure that cybersecurity is treated as a long-term investment rather than a reactive cost.

Here are four ways CISOs can improve their relationship with the board and position cybersecurity as a key driver of business stability and growth.

1. Talk about cybersecurity in business terms

Cybersecurity often gets discussed in highly technical terms — endpoint detection, firewalls, security information and event management (SIEM) — but board members don’t require every detail. Ultimately, what matters is how cybersecurity affects revenue, operations and long-term growth.

Recent data indicates that while most board members (84%) feel that their CISOs meet expectations, only a small percentage (8%) believe those expectations are exceeded. What this shows is that they could be doing more to demonstrate the true value of cybersecurity measures.

CISOs need to shift the conversation from technical specifics to business outcomes. Cybersecurity investments should be framed in terms of return on investment (ROI), demonstrating how proactive cybersecurity spending reduces downtime, protects revenue and safeguards brand reputation. Running real-world exercises, like data breach simulations, can also highlight cybersecurity’s role in maintaining digital resilience.

Clarity is also key. Instead of saying: “We’re implementing AI-driven security tools to strengthen threat detection”, a stronger message is: “AI tools cut response times from 12 hours to 30 minutes, minimising downtime and financial costs”. Tying cybersecurity to business impact makes it more relevant to the board.

2. Master business acumen

With 53% of CISOs saying their job has become more complex, boards are leaning on security leaders who understand not only their craft but broader business goals.

CISOs must actively develop their business acumen by learning the basics of financial principles, risk and change management, and corporate strategy. Engaging with finance, legal and operation teams — while participating in budget and strategy discussions — provides valuable insights into business decision-making. Investing in leadership development or mentorship programs can further improve their ability to think beyond cybersecurity and align with business priorities.

And it’s not just mastering business acumen. CISOs will also need to develop soft skills. This includes honing more effective means of communication and understanding how boards prefer to receive information. Refining emotional intelligence will also go a long way.

3. Take charge of compliance and accountability

With Australia’s regulatory landscape tightening through measures like the Cyber Security Act 2024 — which mandates minimum cybersecurity standards for smart devices and introduces mandatory ransomware and cyber-extortion reporting obligations for businesses — CISOs are under increasing scrutiny for cybersecurity failures. The majority say they would consider whistleblowing if their organisation ignored compliance requirements. At the same time, businesses must determine which cyber incidents are significant enough to disclose. Without clear definitions, they risk misjudging the impact, leading to regulatory penalties and reputational fallout.

To stay ahead, CISOs can start by reviewing local regulations and their own legal accountability. Consulting legal counsel can help clarify personal liability and address gaps in employment contracts. Equally important is educating the board on compliance risks, ensuring leadership fully grasps the financial and legal consequences of failing to meet regulatory requirements.

4. Make actionable recommendations

To navigate the unpredictable business and technology landscape, CISOs need to provide recommendations that anticipate risks and enable secure innovation. As businesses increasingly rely on artificial intelligence to automate processes and analyse troves of data, CISOs should recommend AI-driven data management strategies to ensure these systems are implemented securely.

By advising on AI adoption policies, data governance frameworks and risk assessment models, CISOs can help businesses leverage AI safely while minimising exposure to threats like data manipulation, unauthorised access and regulatory non-compliance. This proactive approach ensures CISOs not only protect the business but also guide leadership on securely adopting new technologies.

Building digital resilience requires CISOs to position cybersecurity as a business enabler, not just a technical function. By aligning cybersecurity with business goals, strengthening leadership skills, ensuring compliance and making proactive recommendations, CISOs can bridge the gap with the board and make cybersecurity a business priority.

Image credit: iStock.com/gorodenkoff