Cyber attacks have long been part of everyday life for companies, public authorities and critical infrastructures. According to the Global Digital Trust Insights 2025, Swiss executives still report an insufficiently risk‑oriented approach to cyber budgets – only one in six companies consistently allocates budgets according to risk priorities. The result: gaps in governance, communication and resources at the top management level.
Why the CISO function must now connect executive management and financial responsibility (Part 2)
In Part 1 we outlined the evolutionary shift of the CISO function from purely technical responsibility to strategic governance and now call it the CISO leadership role. In this second article in the series, we focus on the interfaces where CISOs must deliver the greatest impact today: reporting to the board and executive management, budget negotiation with the CFO, and close collaboration with the legal department. The starting point is empirical evidence from Europe and Switzerland as well as concrete practice examples.
Core theme of this article: The CISO function can no longer pursue an isolated technology agenda – it must translate risk, costs and legal obligations into economically intelligible metrics.
Board reporting: presence is not the same as influence
Recent studies show a nuanced picture: 83% of European CISOs regularly attend board meetings, yet only 29% of boards have in‑house cyber expertise, as the CISO Report 2025 notes. In Switzerland, the PwC analyses confirm that while CISOs are invited more often, they are less frequently involved in operational business decisions.
The imbalance is partly explained by communication gaps: boards expect clear, economically sound statements – for example on residual risks, loss probabilities and costs in the event of damage. Many CISOs, however, still report in technical metrics or follow IT logics. The result is divergent perceptions: 52% of boards view the CISO as a business enabler, yet only 34% of CISOs share this view (Splunk/Bitkom reporting).
Best‑practice elements for effective board reporting:
– Translate technical risks into financial metrics (business impact, annualized loss expectancy).
– Use key risk indicators (KRIs) linked to business objectives.
– Provide regular, structured updates with clear courses of action and budget implications.
CISO and CFO: budget negotiation as strategic dialogue
The budget discussion is a central area of tension in many Swiss companies. According to PwC Switzerland, only one in six companies allocates its cyber funds based on risk. This creates conflicts with the CFO, who assesses investments using business management metrics. CISOs therefore need to translate investment needs into ROI terms and risk‑reduction potential to set priorities.
Practical approaches that already work have been tested in Swiss companies: Mostafa Hassanin of the SMG Swiss Marketplace Group reports directly to executive management and has implemented KRIs that demonstrate clear value to both operational and financial stakeholders. Such metrics enable the CFO to integrate cyber spending into the overall budget and to assess risks in capital terms.
Recommendations for CISO‑CFO cooperation:
– Develop business‑focused metrics (e.g. expected financial loss per scenario).
– Set priorities using a risk‑based scorecard model.
– Agree review cycles in which impact and KPIs are examined transparently.
CISO and legal department: reporting obligations and liability issues
Regulatory changes intensify collaboration between CISO and legal. DORA and NIS2 expand governance and reporting obligations in the EU; Swiss institutions must additionally observe FINMA requirements and the revised DSG 2023. Baggenstos offers a concise overview of the relevant legal frameworks in his summary of NIS2/DORA/FINMA/DSG.
The consequence: CISOs increasingly bear operational responsibility for compliance controls, while legal liability and contractual issues remain with legal. Effective collaboration therefore requires clear roles (RACI models), joint incident playbooks and aligned reporting processes – including a tiered communication matrix to supervisory authorities and affected parties.
Practical example Logitech: under the leadership of Tana Dubel (Swiss CISO Awards winner), the cyber strategy, including ISO certification and governance processes, was designed so that compliance, technical measures and board reporting are consistently interlinked. The example shows how close coordination with legal facilitates the implementation of regulatory requirements (Swiss Cyber Institute, 2024).
Regulatory implications for governance and resources
DORA and NIS2 compel companies in the EU and those with EU business relationships to strengthen their governance structures: mandatory ICT risk management frameworks, third‑party risk assessments and resilience tests. For financial institutions, DORA comes into force from 2025; in Switzerland, FINMA complements this with sector‑specific circulars. Baggenstos has summarised the key requirements for CH/EU well.
Practical effects:
– More resource needs: supervisory tests, documentation and third‑party monitoring require additional budget and staff.
– Greater board responsibility: boards must be able to make traceable decisions on cyber risks.
– Stronger involvement of the CISO in strategic planning processes to identify compliance gaps early.
What to do now, pragmatically
Based on studies and Swiss practice examples, short‑term steps can be derived that strengthen governance and financial accountability:
– Standardise a dashboard with 6–8 KRIs that address executive management and the CFO (business impact, mean time to detect, third‑party exposure, compliance status).
– Formalise reporting rhythms: quarterly strategy reviews and ad‑hoc incident briefers to the board and CEO.
– Establish a coordinated incident playbook between CISO, CFO and legal that covers reporting obligations (DSG/NIS2/DORA).
– Invest in storytelling capabilities for CISOs: presentations must clearly show business risks and cost implications.
Conclusion
The role of the CISO today is largely a leadership task: it requires strategic communication to the board, economic rationale vis‑à‑vis the CFO, and legally compliant collaboration with legal. European and Swiss findings – for example from the CISO Report 2025 and the PwC Global Digital Trust Insights 2025 – confirm: mere presence at the table is not enough. CISOs must monetise risks, operationalise governance processes and proactively manage regulatory obligations.
CISO governance: your next step
If your organisation wants to strengthen its cyber resilience, start with clear responsibilities: define KRIs, anchor reporting rhythms and align incident reporting routes with the CFO and legal. Examples such as Logitech and SMG show that this creates both compliance and business value (Swiss Cyber Institute; Computerworld). For in‑depth analysis and operational implementation, we offer pragmatic support – from governance design to KRI implementation.
Key take‑away – align risk, costs and law
Anchor the CISO function organisationally so that it reaches executive management, the CFO and legal equally. Concrete steps: risk‑based budgeting, KRI‑driven reporting and aligned reporting processes (DSG / NIS2 / DORA). Reliable sources and practice examples: PwC Global Digital Trust Insights 2025, CISO Report 2025, Swiss CISO Awards / Computerworld, Baggenstos – NIS2/DORA/FINMA/DSG overview.
