Research, conducted by Dr. Simon Learmount, Associate Professor for Corporate Governance at Cambridge Judge Business School, University of Cambridge, entitled “Beyond the Firewall” in collaboration with global cybersecurity company ISTARI examines the challenges and responsibilities facing Chief Information Security Officers (CISOs) today.
The report draws on candid interviews (with strict anonymity) with CISOs, board directors, regulators and policymakers across multiple sectors and geographies.
In the UK alone, the National Cyber Security Centre manages four nationally significant incidents every week.
As Rossa Shanks, CEO of ISTARI says in the Foreword of the research findings:
“Unlike the physical world, where jurisdictions are clear and order is enforceable, the digital realm is a patchwork of overlapping mandates and conflicting responsibilities. In this borderless landscape, there is no universal rulebook.”
This research addresses this vacuum. Shanks continues,
“It reflects a critical reality: as cyber risk evolves from a technical hurdle to a systemic threat, the traditional silos of governance are failing. Boards can no longer afford to be reactive. To govern effectively, they must develop the institutional foresight to anticipate crises before they arrive, as gaps in understanding are not just administrative flaws; they are the primary inhibitors of recovery.”
CISOs today face rapidly expanding challenges
The challenges and responsibilities facing Chief Information Security Officers (CISOs) have expanded so rapidly that the position has become unsustainable and risks undermining cyber resilience for companies. In essence, Learmount’s report calls for boards of directors to pay urgent attention to an issue that threatens both company finances and reputation.
This issue has taken on added importance following recent claims by AI company Anthropic that its new Claude Mythos model can perform some hacking and cybersecurity functions better than humans can do, raising new concerns over corporate cybersecurity.
The CISO role has quickly transformed from a mostly technology-focused role to one requiring a strategic business leader with duties affecting every aspect of the firm, but the report reveals a growing gap between organisational expectations of CISOs and the structures, skills and support required to meet them, including a lack of full buy-in from boards of directors.
“Boards often lack a shared language and basic cybersecurity knowledge,” says the report. “Tensions remain in many organisations around the CISOs’ mandate and voice at the top table.
“Despite sitting in the same meetings, CISOs and directors may not be speaking the same language or measuring success by the same yardsticks,” the report adds. “There is a pressing need for targeted training and development to build cyber governance capability at all levels.”
“Most boards have spent the last decade learning to ask whether they are secure. That was always the wrong question,” says Dr. Learmount. “The question now is whether they are resilient – whether the organisation can absorb a hit and keep operating. That is a question very few directors I meet are equipped to answer.”
The report highlights include:
- The misleading conflation of compliance frameworks with true cyber resilience, leading to narrow and misleading success metrics
- Limited mechanisms to visualise and manage supply-chain risk across complex ecosystems
- Growing regulatory fragmentation, forcing CISOs to juggle overlapping and sometimes conflicting compliance obligations
The report underlines that firms need a continuous process, not a one-off exercise, to respond to the changes in the CISO’s role and the challenges and threats this poses.
“These findings position cybersecurity and digital governance as an urgent leadership priority,” the report concludes. “The takeaway is clear: cybersecurity and digital governance require urgent attention, sustained investment and a long-term commitment from leadership – a journey that must begin now to secure the organisation’s digital future.”
Find the link to the findings and the report here: https://www.jbs.cam.ac.uk/2026/report-growing-ciso-role-poses-risks-for-companies/
Related Post: International AI Safety Report 2026: IT Leader Comments
