A new global study of chief information security officers (CISOs) suggests that while cyber resilience is increasingly seen as a driver of business growth, significant gaps remain in AI readiness and software supply chain visibility.
The report, Persona Spotlight: CISO, released by managed security services provider LevelBlue, draws on insights from cybersecurity leaders and builds on earlier research into cyber resilience and business impact. It finds that the CISO role has expanded beyond traditional defence, with many security leaders now positioning cybersecurity as an enabler of innovation.
Sixty per cent of CISOs surveyed described themselves as highly competent in cyber resilience, core security operations and collaboration with the broader business. Sixty-one per cent said their adaptive cybersecurity approach allows their organisation to take greater risks in innovation.
However, confidence declines when it comes to AI-driven threats. Only 53 per cent of respondents said they feel prepared to defend against adversaries using AI-enabled tactics. At the same time, 45 per cent expect AI-powered or deepfake attacks to affect their organisation within the next 12 months.
The findings suggest a widening gap between anticipated threat evolution and perceived defensive capability.
The report also indicates progress in how cybersecurity is positioned within organisations. More than half of senior executives are reportedly less likely than a year ago to treat cybersecurity as a siloed function, reflecting growing recognition of shared accountability.
Yet alignment challenges persist. Only 45 per cent of CISOs believe business risk appetite is effectively aligned with cybersecurity risk management. Just 37 per cent said cybersecurity budgets are embedded into projects from the outset. Governance gaps remain a concern, with 60 per cent citing limited understanding of cyber resilience within governance teams and unclear ownership structures as barriers to progress.
While 55 per cent reported that cybersecurity is increasingly treated as a shared leadership responsibility, and 57 per cent cited effective communication between security teams and the wider organisation, only 43 per cent described their organisation as having a truly effective cybersecurity culture.
Supply chain risk emerged as a notable blind spot. Despite increased regulatory scrutiny and high-profile third-party breaches globally, only 31 per cent of CISOs identified the software supply chain as their greatest security risk. Just 25 per cent said assigning confidence levels to suppliers is a priority for improving visibility.
The findings point to a tension within the modern CISO mandate: balancing cyber resilience as a growth enabler while addressing structural weaknesses in AI security preparedness, third-party risk management and executive alignment.
As organisations accelerate AI adoption and deepen digital interdependencies, the report suggests that strengthening governance, embedding security into business strategy and improving supplier transparency will be critical to sustaining both resilience and growth.
You can read the full report here.
