Estimated reading time: 6 minutes
The CISO’s role is expanding at many companies, but at other firms, they still lack access to top decision-makers. A new report looking at this layer of corporate leadership finds just 25% of CISOs say board briefings on cyber risk last longer than 30 minutes. The 2026 Benchmark Report: How Boards Are Partnering With CISOs was created by IANS, Artico Search, and The CAP Group. A CISO at a large, publicly traded financial services company explains the problem: “There’s interest in the reports I present, but almost no follow-through.”
“CISOs must equip the board with enough context about emerging technologies like AI to allow the board to understand the broad risks the organization is taking,” said Nick Kakolowski, Senior Director, CISO Research at IANS.
The report is based on data from over 650 CISOs. Boards expect regular cybersecurity updates, and CISOs consistently provide them. The findings show that 95% regularly update the board on cybersecurity. Sixty percent engage with the full board, while 35% work with at least one board committee.
Boards now deal with risks around the clock. Cyber attackers do not take weekends or holidays off, and digital operations are always running. Directors need processes that keep up with this pace and clear decision-making authority before the next incident happens.
“The conversation isn’t one of pulling the board into operational decisions or specific controls, but of ensuring all stakeholders have a shared understanding of the organization’s risk tolerance when adopting technologies that present significant unknowable variables,” added Kakolowski.
Board Briefings Become Table Stakes
All directors surveyed said management reporting is a key source of information on cyber risk. Fifty-nine percent also mentioned metrics and dashboards, and the same percentage pointed to enterprise risk frameworks. Fifty-three percent said they rely on outside experts.
Hands-on testing remains limited. Forty-seven percent of directors mentioned committee briefings, while 41% cited escalation protocols, tabletop exercises, and board training. The report cautions, “Most boards are briefed, but not battle-tested.”
The Role of the CISO Needs More Airtime With The Full Board
Time is limited. Many boards restrict CISO updates to about 30 minutes. When updates go through committees, fewer people hear them. This process can reduce urgency and make accountability less clear.
Some boards allow for more in-depth discussions. About 25% of CISOs say their sessions last longer than 30 minutes. A CISO at a publicly traded insurance company shares, “Our quarterly sessions are truly interactive.” The CISO adds that the board comes prepared.
Steve Martano, IANS faculty and partner in Artico Search’s cyber practice, wants a strategy talk. “The best security presentations are holistic discussions.” He calls for debates on risk tolerance and ROI.
“Boards typically operate with a clear mandate and role. It isn’t on directors or C-suite execs to change to fit the CISO. It is up to security executives to contextualize the risks they are seeing in a way that fits not only the language these leaders are using, but the perspective they have on the business,” noted Kakolowski.
ONE MINUTE WATCH – THE CISO CONVERSATION
The Cyber Insurance News Podcast
Directors Ask For A Future-Focused Threat Story
Directors had mixed opinions about how effective the updates are. Twenty-nine percent said the updates are very effective, 53% said they are somewhat effective, and 18% were neutral.
Directors also pointed out important gaps in the content. Fifty-three percent said reporting on evolving threats needs to improve. Forty-seven percent want better updates on AI and new technology trends. Forty-one percent said cyber business risk assessments need improvement.
Kakolowski of IANS, “Directors want clearer insight into what’s coming next.”
AI Turns Into A Board-Level Loss Driver
The report identifies AI as a key governance issue. AI allows attackers to act faster and more convincingly, and it also produces valuable models and data that can be stolen. Brian Walker, founder and CEO of The CAP Group, says, “AI is now a primary driver of cyber risk.”
Boards now have related oversight challenges. They need to manage how AI is used within the company and also address AI-driven threats from outside. These decisions affect the company’s resilience and insurance position.
Partnerships Still Show Uneven Trust
Levels of trust and partnership differ widely among boards. Thirty percent described their relationship as strong and collaborative, while 35% called it adequate and functional. Twenty-four percent said it needs improvement, and 11% reported no direct engagement.
Get The Cyber Insurance News Upload Delivered
Subscribe to our newsletter!
A director described the between-meeting gap. The director says, “Our relationship is solid, and communication works.” The director adds, “It’s still a bit transactional.” That dynamic keeps the CISO in reporting mode. It can also delay budget and control decisions.
A Director’s Playbook For Faster Decisions
The report provides a straightforward playbook for boards, focusing on three main themes. Directors can set clear expectations for risk discussions that align with business goals and define decision-making authority. They can also improve engagement by spending more time directly with CISOs and holding executive sessions. The report advises boards not to send all issues through the CIO, CTO, or CFO.
Directors can also increase touchpoints between meetings. They can run tabletop exercises with the full board. They can ask for deeper dives on emerging threats and AI risk.
“CISOs who discuss risk at a peer level get treated as belonging. Those who try to pull the board into operational risk get phased out of the discussion,” said Nick Kakolowski.
FAQ: THE ROLE OF THE CISO
It means the CISO guides how leaders understand cyber risk, resilience, and security investment choices.
Because budgets, risk appetite, and response authority sit with top executives and the full board.
It finds only 30% of boards describe the relationship as strong and collaborative.
The report finds 95% of CISOs provide regular updates to their boards.
It delays decisions on controls, staffing, and incident readiness. That delay can magnify breach losses.
Boards rate regulatory and compliance updates higher than threat impact and emerging risk insights.
Directors want clearer explanation of evolving threats, business impact, and AI-driven risk.
Short briefings push CISOs into status reporting. They reduce time for strategic debate and decisions.
AI enables faster attacks and creates high-value models and data. Those assets can drive new losses.
Give the CISO direct full-board time, run tabletop exercises, clarify decision rights, and require action tracking after briefings.
Related Cyber Liability Insurance News
- AI Risk and Autonomous Agents: Why Access Controls Matter – NEW PODCAST
- Integris Report Flags Fragile Trust As Banking Cybersecurity Fears Rise
- Who Bears Responsibility For AI Risk When Agents Can Email, Execute, And Exfiltrate?
- Cyber Exclusion Clauses Tested as GPS Spoofing Threatens Maritime Claims
- Cyber Insurance Claims Data Shows Criminals Shift To Data Theft And Long-Tail Damage
- What a Difference a Day Makes: Berkley Sues as a Cyber Insurance Subrogee to Recover Claim Settlement
