CISO leadership has become a top-management issue: the CISO’s role in governance, finance and legal is changing at pace. In Europe, NIS2 and DORA impose stricter reporting duties, while in Switzerland FINMA circulars and the revised Data Protection Act (DSG 2023) sharpen the accountability of security leaders.
Why CISOs now belong more firmly in management reporting
The CISO role is shifting from technology specialist to bridge-builder between risk, law and funding. According to the CISO Report 2025, 83% of European CISOs regularly attend board meetings. However, only 29% of boards have proven cyber expertise, therefore a mismatch emerges. Consequently, CISOs must communicate in clear, business-relevant terms.
In Switzerland, PwC’s analysis shows that only around one in six companies allocates cyber budgets on a risk-oriented basis, and that CISOs are less often involved in operational business decisions than the global average (PwC Global Digital Trust Insights 2025). For boards and CEOs, the conclusion is straightforward: without a clear CISO mandate, financial decisions and compliance measures remain fragmented. CISO leadership, therefore, needs a defined place in governance.
Budget responsibility and points of friction with the CFO
Translating technical risks into financial metrics remains a core tension between CISO and CFO. PwC notes that in many Swiss firms, cyber investments are not prioritised on the basis of risk assessments (PwC, 2024). Without a robust risk economics, the CFO lacks the foundation to release funds with confidence. CISO leadership must, therefore, make risk legible to finance.
Best practice: CISOs develop Key Risk Indicators (KRIs) and Total Cost of Risk models that monetise potential loss scenarios and thus enable investment decisions. A practical example comes from SMG Swiss Marketplace Group: Group CISO Mostafa Hassanin reports directly to executive management and established a KRI-based reporting system, which in turn facilitates alignment with Finance and Legal (Swiss CISO Awards / SMG). In this setting, CISO leadership becomes measurable and actionable.
Legal accountability: working with Legal and liability questions
Regulatory requirements increase the workload at the interface between the CISO and the legal function. Today, CISOs share responsibility for complying with data protection and notification rules (DSG/GDPR), as well as for compliance standards such as ISO 27001. Therefore, close alignment with Legal is indispensable, particularly for reporting obligations and contract reviews with third parties. CISO leadership must, consequently, extend beyond technology into legal readiness.
Practice shows that CISOs, Legal and Compliance must define reporting channels, escalation rules and roles in Incident Response in a binding way. This is also driven by the regulatory agenda. DORA and NIS2, for example, require formalised governance structures and clear reporting deadlines, which overlap technical and legal responsibilities. CISO leadership, therefore, depends on disciplined coordination.
Regulatory pressure: DORA, NIS2, FINMA and DSG
European rules are materially reshaping governance requirements. DORA will enter into force for financial institutions from 2025 and requires, among other things, mandatory ICT risk management frameworks, resilience testing and strict reporting duties. In parallel, NIS2 expands obligations for operators of critical services and their suppliers. Consequently, CISO leadership must align security work with supervisory expectations.
In Switzerland, FINMA circulars add further requirements for banks and insurers, while the revised Data Protection Act (DSG 2023) has defined stricter transparency and notification duties since September 2023. Taken together, these rules increase the operational load for CISOs and therefore demand a clearer anchoring in executive management and on the board. CISO leadership becomes a governance necessity, not a specialist function.
Board communication: what boards really expect
Good board communication means translating risk into business metrics, providing clear recommendations and showing room for decision-making. Studies reveal significant perception gaps: 52% of board members see the CISO as a business enabler, yet only 34% of CISOs share that view (CISO Report 2025). Therefore, CISO leadership must be expressed in business language, not technical detail.
Specific expectations for board reports: – Short-term overview of critical KRIs, – Assessment of potential financial impact (loss scenarios), – Status of compliance measures (DORA/NIS2/DSG), – Decisions for approval, including budget and risk implications.
Practical examples: Swiss companies as role models
Swiss awards and case examples show how CISO functions can be integrated effectively into governance. Logitech CISO Tana Dubel, honoured as Swiss CISO of the Year 2024, introduced a Zero Trust strategy, achieved ISO 27001 compliance and established regular board updates, while also increasing diversity in the team. As a result, both compliance and resilience improved (Swiss CISO Awards / Logitech). Here, CISO leadership translates into demonstrable organisational change.
Similarly, SMG Swiss Marketplace Group reports on direct reporting lines to executive management and KRI-based reporting, which strengthened collaboration with Finance and Legal and shortened response times to regulatory requirements (Swiss CISO Awards / SMG). Consequently, CISO leadership improves decision speed under regulatory pressure.
Recommendations for action for the CISO, CFO and Legal
From the available studies and practical examples, concrete steps can be derived:
- Introduce a binding reporting framework: standardise KRIs, loss scenarios and compliance status.
- Integrate financial metrics: use Total Cost of Risk and Return-on-Security-Investment (RoSI) for budget discussions.
- Anchor governance: align CISO reporting ideally to the CEO or the board, supplemented by regular briefings for the CFO and Legal.
- Create a regulatory roadmap: translate DORA/NIS2/FINMA requirements into project plans and prioritise third-party risks.
- Clarify internal roles: document incident reporting paths, escalation levels and liability questions together with Legal.
Conclusion
The CISO function has evolved into a leadership task that touches governance, finance and legal alike. European regulation (DORA, NIS2) and Swiss requirements (FINMA, DSG 2023) are further accelerating this development. Companies that align the CISO, CFO and Legal early on around a shared language and structured reporting mechanisms reduce compliance risks and therefore create the basis for well-founded investment decisions. In short, CISO leadership is the lever that turns cyber risk into executive action.
CISO, CFO and Legal: your next step
If you want to strengthen the CISO function, start with KRI-based reporting and a regulatory gap analysis for DORA/NIS2/DSG. As a reference, the PwC Global Digital Trust Insights 2025 and the CISO Report 2025 offer helpful orientation. To operationalise CISO leadership, ensure that reporting reaches decision-makers on a fixed cadence.
Key take-away: regulate convergent accountability now
Anchor the CISO function in executive management, standardise crisis and compliance reporting (KRIs, loss scenarios, DORA/NIS2 roadmap) and establish clear coordination processes with the CFO and Legal. Only then can you manage regulatory duties, financial consequences and operational risks effectively, and only then does CISO leadership deliver its full value.
