Cyber attacks and regulatory pressure have reshaped leadership responsibility for information security. In Europe and Switzerland, CISOs today see themselves not only as technical owners but as strategic leaders who must connect budget, legal and board matters – a development further accelerated by DORA, NIS2 and national requirements.
The CISO’s new leadership role: reporting, budget and governance
The integration of the CISO into corporate leadership is clearly gaining ground in Europe: according to the CISO Report 2025, 83% of European CISOs regularly attend board meetings. At the same time, only 29% of boards have recognised cyber expertise. This gap shapes how CISOs must fill their role as a bridge between technology and executive management.
In Switzerland, the PwC analysis Global Digital Trust Insights 2025 shows that only one in six companies plans cyber budgets in a risk‑oriented way. Budget owners – often CFOs – and CISOs therefore face fundamental questions: How can security investments be translated into business metrics? And how does the CISO achieve the desired decision authority? Practical examples from Switzerland point the way: among winners of the Swiss CISO Awards, several CISOs report directly to the executive committee, creating clearer decision and budget lines (Swiss CISO Awards, 2024).
CISO and CFO: budget allocation as a field of conflict
The relationship between CISO and CFO has become a core element of effective cyber governance. Studies show that boards want to view cyber as a business risk, not just an IT risk: 52% of boards see the CISO as a business enabler, yet only 34% of CISOs share this view (CISO Report 2025). This has practical consequences: security projects compete with other investments for limited funds. A risk‑oriented budget model therefore requires CISOs to translate investments into monetary metrics – such as expected loss avoidance, reputational risks or regulatory penalty costs.
Best‑practice examples from Switzerland illustrate how this translation succeeds: at SMG Swiss Marketplace Group, the Group CISO reports directly to the executive committee and has established Key Risk Indicators (KRIs) that provide the CFO and the board with concrete decision bases. This approach improved transparency and accelerated budget approvals (Swiss CISO Awards / SMG, 2024).
CISO and legal: liability, reporting obligations and compliance
With DORA, NIS2 and the revised Swiss Data Protection Act (DSG 2023), regulatory responsibility for CISOs is rising. Close collaboration with legal and compliance is therefore essential: CISOs must translate technical risks into legally relevant incidents, coordinate reporting obligations and ensure evidence preservation and documentation.
Practice reveals clear overlaps: CISOs are increasingly responsible for adherence to ISO standards, data protection requirements and reporting processes. Expert contributions on CISO practice in Switzerland stress the need for clear role boundaries and processes between technology and legal to minimise personal liability risks and meet regulatory requirements on time (Wirz & Partners, CISO Practice Switzerland, 2024).
Regulatory frameworks: DORA, NIS2, FINMA and DSG
European legislation is visibly tightening governance requirements. DORA will require financial institutions from 2025 to implement comprehensive ICT risk management frameworks, resilience tests and reporting obligations; NIS2 expands the requirements for governance and supply chain management. Swiss institutions follow these guidelines and complement them with FINMA circulars and national recommendations from the NCSC. A consolidated overview of the impacts on governance, third‑party risk and reporting can be found in the analysis by Baggenstos (Baggenstos, 2024).
For CISOs this means concretely: stronger involvement in strategic decision processes, formalised reporting duties to the board and regulators, and heightened requirements for third‑party due diligence and the testability of resilience measures. Swiss banks and insurers are additionally under FINMA supervision, which mandates ICT risk management at executive level, further professionalising the CISO position.
Board communication: what the board and CEO expect
Boards today demand concise, business‑relevant information: risk quantification, trend indicators, impact scenarios and actionable recommendations. CISOs are required to translate technical content into Key Risk Indicators (KRIs), scenario analyses and decision options. Missing translation leads to perception gaps – as evidenced by the discrepancy between board expectations and CISO self‑image in the CISO Report 2025.
Practical instruments for board communication include standardised dashboards, tiered reporting (operational, tactical, strategic) and pre‑formulated decision points with cost‑benefit analyses. Swiss award winners also emphasise the effectiveness of more frequent, shorter briefings rather than rare, lengthy reports – a format that better maintains the attention of CEOs and finance leaders (Swiss CISO Awards, 2024).
Fact overview: key statements with sources
– 83% of European CISOs regularly attend board meetings; only 29% of boards have cyber expertise (CISO Report 2025, 2024).
– Only 1 in 6 Swiss companies allocates cyber budgets in a risk‑oriented way; Swiss CISOs are less involved in operational business decisions (PwC Global Digital Trust Insights 2025, July 2024).
– CISO roles in Switzerland increasingly show direct reporting lines to executive management/CEO and establish KRIs to support decision‑making (Swiss CISO Awards submissions; Swiss Cyber Institute / Computerworld, 2024).
– DORA and NIS2 increase governance, reporting and third‑party obligations; Baggenstos summarises the impacts on CH/EU for CISOs (Baggenstos, 2024).
Practical examples Switzerland / Europe
– Logitech (Swiss CISO of the Year 2024): CISO Tana Dubel introduced a zero‑trust strategy, achieved ISO 27001 certification and strengthened board integration as well as diversity in the cyber team. Source: Swiss CISO Awards / Computerworld and Swiss Cyber Institute.
– SMG Swiss Marketplace Group: Group CISO Mostafa Hassanin reports directly to the executive committee, established KRIs and improved alignment with legal/compliance. Source: Swiss CISO Awards.
– European financial sector: DORA/NIS2 oblige banks and insurers to conduct resilience tests, implement ICT risk management frameworks and meet rapid reporting obligations, strengthening CISO involvement in governance and reporting duties (Baggenstos, 2024).
Current challenges and recommendations
Practical recommendations can be derived from the studies and cases:
– Anchoring in executive management: CISOs should aim for a direct reporting line to the CEO or executive committee to improve decision quality and budget access (example SMG).
– Economic translation of risks: implement KRIs and monetary impact models to provide CFO and board with solid decision bases (PwC, 2024).
– Legal alignment: establish formal interfaces with legal/compliance for reporting processes and documentation; clear role and responsibility definitions reduce liability risks (Wirz & Partners, 2024).
– Regulatory roadmap: plan DORA/NIS2 compliance as a long‑term governance task; invest in third‑party risk management and resilience tests.
Conclusion
The role of the CISO in Europe and Switzerland has evolved from a purely technical function into a multidimensional leadership mandate. Reporting lines, budget responsibility and close alignment with CFO and legal are now core requirements. Regulatory frameworks such as DORA, NIS2 and the revised DSG reinforce this trend and make clear governance structures urgently necessary. Companies that anchor CISOs as strategic partners in the executive committee and on the board create better conditions for resilience and compliance.
CISO as a Service – your next step
If internal resources or structural hurdles make direct anchoring difficult, external models offer an alternative. Expertise for governance, board reporting, risk quantification and regulatory roadmaps can also be sourced flexibly from experienced providers. For an initial exchange on possible models and concrete measures, we are available to you as a specialised provider.
Key take‑away – connect governance, budget and compliance now
Anchor the CISO function in the executive committee, translate risks into economic metrics, establish binding interfaces with legal/compliance and plan DORA/NIS2 tasks for the long term. Only then does the CISO role become a stabilising leadership mandate rather than an isolated technical entity.
