Cybersecurity has earned a permanent place in the boardroom, but new research suggests that simply providing regular updates is no longer enough. According to the 2026 Benchmark Report: How Boards are Partnering with CISOs, conducted by IANS in collaboration with Artico Search and The CAP Group, 95% of CISOs now provide regular board updates, signaling that cyber reporting has become a standard governance practice. The challenge, however, is transforming those updates into meaningful strategic dialogue.

The research reveals that while boards are generally satisfied with reporting on current-state cybersecurity programs, compliance initiatives, and regulatory issues, many directors lack confidence in their organization's ability to understand the business impact of emerging threats, particularly those driven by artificial intelligence. Only 30% of boards describe their relationship with the CISO as highly collaborative, and most board discussions last only about 30 minutes, leaving little time for deeper conversations about risk appetite, investment priorities, and future resilience.

The findings highlight a growing need for CISOs to evolve from operational reporters into trusted business advisors capable of framing cyber risk in terms of enterprise strategy and business outcomes. They also underscore the importance of stronger governance models that encourage ongoing engagement between directors and security leaders.

The benchmark highlights a significant governance gap. Although cybersecurity oversight has become institutionalized, many board-CISO relationships remain transactional rather than collaborative. Only 30% of boards describe their relationship with the CISO as highly collaborative, while most security leaders have only about 30 minutes to brief directors, often limiting opportunities for deeper dialogue on risk appetite, investment priorities, business resilience, and strategic planning.

Artificial intelligence further raises the stakes. As AI rapidly transforms both the threat landscape and enterprise operations, directors are increasingly expected to oversee risks that extend well beyond traditional cybersecurity. AI-powered attacks, emerging regulatory requirements, and the need to protect AI models and data assets are creating entirely new governance responsibilities. The research suggests that boards are seeking greater clarity on how these evolving risks will affect business performance and long-term organizational resilience.

Drawing on benchmark data from IANS, Artico Search, and The CAP Group, Nick Kakolowski, Senior Director, CISO Research at IANS, shares what boards are telling researchers they need from today's CISOs, including clearer perspectives on emerging threats, AI-driven risks, governance responsibilities, and business impact. Steve Martano, an IANS Faculty member and Partner in Artico Search’s cyber practice, shares practical guidance on how security leaders can build more productive board relationships by developing concise, data-driven narratives that foster meaningful conversations about enterprise risk, cyber investment, risk tolerance, and measurable business outcomes.

Executive Q&A

SIW: With 60% of CISOs engaging with the full board but only 15% directly participating in strategy discussions, what structural or cultural barriers are preventing cybersecurity leaders from moving beyond reporting into true strategic influence? How should CISOs reposition cyber risk to earn a seat at the strategy table?

Steve Martano: Financial and operational risk are typically viewed as shared business responsibilities, while technology risk is often treated differently. CISOs are not the owners of enterprise risk—they are trusted advisors. To become strategic partners, boards must ask the right governance questions, and CISOs must present cyber risk in business terms that enable directors to guide discussions around risk appetite, investment priorities, and organizational resilience.

SIW: If only one-quarter of CISOs report that board-level cyber discussions extend beyond 30 minutes, what does that say about the maturity of cyber governance? What should a meaningful board discussion look like?

Nick Kakolowski: It should resemble the relationship boards have with their CFO. CFOs don't spend board meetings explaining accounting details; they focus on the financial risks and opportunities that matter most to the business. CISOs should adopt the same approach by serving as trusted advisors on the organization's most significant cyber risks. Rather than trying to force cybersecurity onto the agenda, they should connect cyber risk directly to business strategy and board priorities.

SIW: Boards report strong visibility into current cybersecurity programs, regulatory issues, and resources, yet many still struggle to understand evolving threats and AI-driven risk. Where is the disconnect, and how can CISOs better communicate future risk?

Steve Martano: Most CISOs naturally report on what has happened since the last board meeting and the current state of the security program. Our research shows that while boards value that information, they're equally focused on what comes next. Directors need forward-looking insight into how the threat landscape is evolving, particularly as AI reshapes enterprise risk. CISOs who can anticipate emerging risks and explain their potential business impact will help boards make better governance decisions and prepare for near- and mid-term technology challenges.

SIW: As organizations rethink cyber governance, how should they balance committee-level oversight with full-board engagement? Does today's threat landscape require a broader governance model?

Steve Martano: The more opportunities a CISO has to build relationships with directors, the more effective governance becomes. Whether through committee meetings or presentations to the full board, increased engagement creates opportunities for meaningful discussions about current and emerging technology risks, organizational resilience, and the company's overall risk appetite. Strong governance is built on ongoing dialogue, not simply periodic reporting.