SecurityBrief US - Technology news for CISOs & cybersecurity decision-makers
United States
Boardroom canada us execs vs concerned ciso ai cyber risk
#
Data Protection
#
Digital Transformation
#
Partner Programmes

CISOs brief boards often but lack strategic influence

Fri, 6th Mar 2026
Author image
By Sean Mitchell, Publisher

A new survey-backed report from IANS, Artico Search and The CAP Group finds that board-level cybersecurity briefings have become routine, but many Chief Information Security Officers still have limited influence over strategy and financial decisions.

The 2026 CISO-Board Engagement Report shows that 95% of CISOs provide regular updates to their boards, yet only 10% influence financial decisions. The findings point to a gap between formal reporting and the dialogue that shapes investment and risk appetite.

The research combines a survey of 17 board directors with benchmarking data from 663 CISOs across North America, examining how boards oversee cyber risk and how CISOs engage with directors in practice.

Engagement varies by forum and time. Sixty percent of CISOs engage with the full board, while 35% present at the committee level. Many sessions remain brief: only 25% of CISOs said board discussions on cyber risk extend beyond 30 minutes.

Strategic influence

Several findings suggest board conversations often focus on current-state reporting rather than future planning. Only 15% of CISOs participate directly in strategy setting. The report also notes that directors and CISOs can remain "protocol-bound," following routines that do not always lead to deeper challenge and debate.

Relationships between boards and security leaders also vary in strength. Only 30% of boards described their relationship with the CISO as strong and collaborative.

Directors reported good visibility into the current cyber-risk position. Boards commonly receive information on resourcing needs, regulatory trends and programme initiatives, but directors want more forward-looking insight in fast-changing areas.

Reporting quality also varies by topic. While 82% of directors rated CISOs' reporting on regulatory trends as satisfactory or excellent, only 47% said the same about CISOs' ability to explain the impact of evolving threats.

AI risk focus

Two topics stood out as needing improvement. More than half (53%) said reporting on the impact of evolving threats needs work, and 47% said the same about AI-driven risk.

The focus on AI reflects how cybersecurity oversight is expanding beyond traditional controls and compliance. Boards increasingly want to understand how new technologies change the risk profile, and how cyber issues connect to business operations and investment decisions.

Steve Martano, IANS Faculty and Partner in Artico Search's cyber practice, said board reporting has improved structurally, but content and discussion still lag in many organisations.

"Cybersecurity reporting to boards has matured structurally, with time allocated to CISOs becoming much more commonplace, but gaps still remain," Martano said.

He linked stronger outcomes to the quality of the narrative and how it frames trade-offs. "The best security presentations drive holistic discussions on cyber risk and business risk. These discussions are driven by a CISO who forms a concise data-driven narrative and fosters discussion and brainstorming around risk tolerance, risk strategy, and cyber/tech risk ROI," he said.

Nick Kakolowski, Senior Director CISO Research at IANS, said the gap between regular briefings and strategic decisions remains a central issue.

"What we're seeing is that while boards are consistently informed, many are still working to translate cyber reporting into strategic decision-making," Kakolowski said.

He also pointed to AI as an area where directors want clearer visibility. "Directors want clearer insight into what's coming next, particularly as AI reshapes both the threat landscape and enterprise risk," he said.

Brian Walker, CEO at The CAP Group, described AI as a board-level governance issue directly linked to cyber risk.

"AI is now a primary driver of cyber risk-both enabling more sophisticated attacks and introducing new forms of loss as AI models become high-value assets. AI and cybersecurity are inextricably linked, and boards must understand the business risks of both," Walker said.

The report concludes that effective oversight depends less on how often CISOs present and more on the depth of dialogue and clarity around decision rights. It also warns that visibility into current-state risk does not always translate into preparedness for emerging risks, particularly as AI changes attacker behaviour and increases the value of data and models as assets.

Related stories
Google Cloud expands AI deal with Thinking Machines Lab
Zapier expands AI governance controls for enterprise users
CleanStart launches shell-less read-only containers
Avatier launches offline card after Stryker cyberattack
US SMBs keep cybersecurity automation despite budget strain

Top stories

AI tools widen cyber attack threat, Flashpoint warns
Alkami launches digital sales platform for US banks
AI flaws & supply-chain risks top new pentesting report
Exclusive: Google Cloud on the road to autonomous SecOps
Rilian raises USD $17.5 million to expand AI cyber platform