CISOs shift from tech to boardroom risk, EC-Council says

EC-Council has released its Certified CISO Hall of Fame report, based on responses from 346 Certified CISOs across more than 87 countries.

The report recognises 50 cybersecurity executives from organisations including Microsoft, Google, Amazon Web Services, Citibank, PwC, KPMG, Accenture and the World Bank Group. It explores how the Chief Information Security Officer role is changing as artificial intelligence, governance and board-level risk rise up the corporate agenda.

The findings suggest technical oversight is no longer viewed as the defining feature of the senior cybersecurity post. Respondents instead identified business risk, resilience, executive communication and financial accountability as core parts of the role.

Artificial intelligence featured heavily in the survey. Three in four respondents said AI threat response capability will be the most important executive cybersecurity leadership trait through 2028, while 80% said their organisations are already integrating or moving towards AI-based cybersecurity operations.

That reflects a broader shift in what boards and management teams expect from security leaders. Rather than focusing only on incident response and infrastructure protection, many organisations now want CISOs who can explain cyber risk in business terms and contribute to wider strategic decisions.

Boardroom shift

The survey found that 97% of respondents said the CCISO qualification improved their ability to communicate with boards and executive leadership teams. Another 98% reported stronger confidence in business-driven cybersecurity decision-making after earning the credential.

Nearly nine in 10 said the qualification helped them move from technical roles into executive leadership positions. All respondents said they would recommend the certification as part of the executive pathway for future cybersecurity leaders, while three in four reported promotions or salary increases after gaining it.

Those figures underline the growing emphasis on management and governance in cybersecurity careers. In many large organisations, the senior security role now sits closer to enterprise risk management, compliance and operational resilience than to a narrowly defined technology function.

The list of recognised executives also highlights how widely that shift has spread across sectors. The organisations named span cloud computing, consulting, banking and multilateral finance, where cybersecurity increasingly overlaps with regulation, customer trust and business continuity.

The programme is aimed at senior cybersecurity professionals working at an executive and strategic level. It focuses on governance, enterprise risk management, security strategy, financial oversight, compliance, leadership communication and organisational decision-making.

Leadership role

Jay Bavisi, Group President of EC-Council, described the findings as evidence of a wider shift in the senior security function.

"Cybersecurity leadership is no longer confined to managing infrastructure or responding to incidents," Bavisi said. "Organisations today require leaders who can align cybersecurity with business priorities, communicate enterprise risk at the boardroom level, govern emerging technologies and AI responsibly, and guide resilience across increasingly complex digital ecosystems. As artificial intelligence rapidly reshapes enterprise operations and threat environments alike, the role of the CISO is evolving into one of the most critical leadership positions in modern business. The findings in the Certified CISO Hall of Fame 2025 Report reflect a profound global shift in how cybersecurity leadership is being defined."

The survey results come as boards face growing pressure to show they understand cyber exposure, regulatory demands and the operational consequences of digital disruption. In that environment, the CISO role has expanded beyond technical stewardship to include regular engagement with directors, audit committees and senior finance leaders.

For employers, the findings suggest career progression in cybersecurity may increasingly depend on leadership and communication skills as much as technical experience. For practitioners, they point to a labour market in which commercial understanding and boardroom presence are becoming more valuable.

EC-Council has certified more than 400,000 professionals worldwide across its programmes. The organisation is best known for the Certified Ethical Hacker qualification, but the latest study focuses on executive-level training as companies adapt their security leadership structures to AI-related risks and broader business accountability.

Bavisi said companies are changing how they assess senior security leaders. "The future CISO will not be measured only on technical capabilities to defend infrastructure and systems," he said. "They will be measured by how effectively they manage AI-driven risk, guide business resilience, govern emerging technologies, and build organizational trust at scale."