LevelBlue Study: CISOs Confident in Cyber Resilience, but AI and Supply Chain Risks Expose Gaps
Key Highlights
- Most CISOs feel confident in core cyber resilience but are less prepared for AI-enabled threats, with only 53% feeling ready to defend against AI-driven attacks.
- Organizational silos are decreasing, but gaps in governance, risk alignment, and cybersecurity culture persist, hindering operational effectiveness.
- Supply chain risks remain underprioritized, with only 31% of CISOs viewing the software supply chain as a major security concern, leaving organizations exposed to external vulnerabilities.
- Effective communication and shared leadership are improving, but cultural maturity and the integration of cybersecurity into business processes require further development.
Cybersecurity leaders are increasingly positioning themselves as drivers of business growth and innovation, but new research from LevelBlue suggests critical blind spots remain—particularly regarding AI-enabled threats and software supply chain risk.
The Dallas-based managed security services provider released its latest report, Persona Spotlight: CISO, on Feb. 11, examining how chief information security officers navigate a complex threat environment while supporting enterprise objectives. The findings build on insights from the company’s 2025 Futures Report: Cyber Resilience and Business Impact.
While high-profile attacks have elevated the prominence of cybersecurity in the C-suite, the report indicates that many CISOs must expand their comfort zones into emerging risk domains to stay ahead of evolving adversaries.
Confidence High in Core Cyber Resilience, Less So in AI Defense
According to the study, 60% of CISOs describe themselves as highly competent in cyber resilience, core security operations, and business collaboration, underscoring that the role has matured beyond traditional perimeter defense.
In fact, 61% report that their adaptive cybersecurity strategies enable their organizations to take greater risks in innovation, suggesting that security is increasingly viewed as a business accelerator rather than a cost center.
However, that confidence diminishes sharply when it comes to artificial intelligence.
According to the study, 60% of CISOs describe themselves as highly competent in cyber resilience, core security operations, and business collaboration, underscoring that the role has matured beyond traditional perimeter defense.
Only 53% of CISOs report feeling prepared to defend against AI-enabled adversaries. At the same time, 45% expect AI-powered or deepfake-driven attacks to impact their organizations within the next 12 months — highlighting a looming preparedness gap.
Cybersecurity as a Shared Responsibility — In Theory
The report signals progress in breaking down organizational silos. More than half (52%) of senior executives are less likely than they were a year ago to treat cybersecurity as an isolated function, reflecting broader recognition that cyber risk is an enterprise-wide issue.
Yet structural and cultural barriers persist.
- Just 45% of CISOs believe business risk appetite is effectively aligned with cybersecurity risk management.
- Only 37% say cybersecurity budgets are embedded into projects from the outset.
- Sixty percent cite governance teams’ limited understanding of cyber resilience, along with unclear ownership, as a primary obstacle to progress.
These findings suggest that while executive rhetoric may be shifting, operational alignment remains inconsistent.
Embedding Security Deeper into the Business
To counter these challenges, many CISOs are working to institutionalize cybersecurity within broader leadership frameworks.
More than half (55%) report that cybersecurity is increasingly treated as a shared leadership responsibility, with defined KPIs and performance metrics. Additionally, 57% say communication between security teams and the wider organization is effective.
Still, cultural maturity appears uneven. Only 43% of respondents say their organizations have established a truly effective cybersecurity culture, underscoring the need for continued investment in governance, accountability, and workforce education.
Supply Chain Risk: A Persistent Blind Spot
Despite escalating regulatory scrutiny and a growing number of supply chain–based attacks, the research highlights a significant disconnect in how CISOs prioritize third-party risk.
- Only 31% believe their greatest security risk could originate from the software supply chain.
- Just 25% consider assigning confidence levels to suppliers a priority for improving visibility.
This lack of focus on upstream dependencies leaves organizations exposed to cascading risks originating outside their direct control.
“Security leaders and CISOs are no longer just protecting the business — they are actively enabling it,” said Kory Daniels, Chief Security & Trust Officer at LevelBlue. “It is difficult to have meaningful conversations about client trust and supply chain trust without investing in the people, processes, and technologies that underpin a strong security program. Organizations that invest in cyber resilience are better positioned to earn and sustain consumer trust while embracing AI and other emerging technologies. To take that next step, business leaders must close critical gaps in AI security readiness, software supply chain visibility, and executive alignment.”
Recommendations for Strengthening Cyber Resilience
Based on the findings, LevelBlue recommends organizations:
- Strengthening executive alignment to connect cyber resilience strategy with measurable business value.
- Deepen collaboration between business and security teams to identify integration gaps and accelerate progress.
- Leverage external expertise to address specialized challenges and build momentum.
- Prioritize software supply chain risk by identifying urgent exposures and driving targeted improvements.
The full report is available through LevelBlue’s website.
About the Author
Steve Lasky
Editorial Director, Editor-in-Chief/Security Technology Executive
Steve Lasky is Editorial Director of the Endeavor Business Media Security Group, which includes SecurityInfoWatch.com, as well as Security Business, Security Technology Executive, and Locksmith Ledger magazines. He is also the host of the SecurityDNA podcast series. Reach him at [email protected].