The CISO role is undergoing a fundamental shift: In Europe and Switzerland, a combination of regulatory pressure, market demands and internal corporate governance is pushing security leaders into strategic responsibility. According to the PwC Global Digital Trust Insights 2025 and the CISO Report 2025, CISOs are taking part in board meetings more frequently – while requirements under DORA, NIS2 and national regulations are rising.
Why CISO leadership is now a board-level priority
Integrating the CISO into corporate leadership is no longer a mere formality. Studies indicate: 83% of European CISOs regularly attend board meetings, yet only 29% of supervisory bodies have demonstrable cyber expertise (Bitkom CISO Report 2025). In Switzerland, analyses such as the PwC analysis report that while CISOs are present, they are less often involved in operational business decisions. This discrepancy shapes key tensions – from budget responsibility to risk communication.
As part of this series (Part 1), I outline the current state in Europe and Switzerland, present verifiable figures and real-world examples – later parts will delve into the CISO–CFO and CISO–Legal relationships as well as the concrete implications of DORA and NIS2.
Board participation versus operational responsibility
Presence at the table is not enough: the data shows that attendance does not equal influence. While 83% of CISOs attend board meetings, only 52% of boards view the CISO role as a business enabler – compared with just 34% of CISOs who share that view (CISO Report 2025). In Switzerland, the PwC study adds: Only around one sixth of companies structure cyber budgets based on risk; budgeting often takes place without comprehensive involvement of the security lead (PwC Global Digital Trust Insights 2025).
The result is recurring communication gaps: the CISO measures technical risks, the board expects business-relevant metrics. Best-practice approaches – such as translating technical indicators into key risk indicators – are therefore central and are implemented in successful Swiss examples (see practical cases below).
Regulatory change as a driver: DORA, NIS2 and the national context
The regulatory landscape is shifting responsibilities upwards. DORA and NIS2 introduce binding requirements for governance, ICT risk management, third-party risk management and reporting obligations; for financial institutions, DORA enters a practically binding phase from 2025 (Baggenstos – NIS2/DORA overview).
Swiss organisations face additional national requirements: the revised Data Protection Act (DSG 2023), FINMA circulars for financial institutions and BACS recommendations tighten reporting and documentation duties. As a consequence, CISOs must work more closely with Legal and Compliance and adapt governance models so that reporting lines, responsibilities and liability issues are clearly defined.
Financial accountability and the question of ROI for cyber investments
A central area of tension exists between CISO and CFO: budget constraints and the expectation that cyber investments be justified in business terms. PwC data shows that risk-based budget allocation remains scarce in many Swiss companies – only one in six companies proceeds accordingly (PwC Switzerland, 2025).
The answer lies in measurable KRIs, scenario analyses and business impact measurements: CISOs who translate security into business metrics (costs avoided, time to recovery, economic impact of downtime) are more likely to secure the desired budget support. This capability has become a criterion for leadership quality in the role.
Swiss practical examples: board integration and governance
Concrete, verifiable examples illustrate what leadership tasks look like today:
Logitech (Swiss CISO Awards 2024): Tana Dubel was recognised for introducing a zero-trust strategy, an ISO 27001 focus and tight alignment with the executive team and the board (Swiss CISO Awards / Computerworld; Swiss Cybersecurity).
SMG Swiss Marketplace Group (Swiss CISO Awards 2024): Mostafa Hassanin reports directly to the executive team and established KRI-based reporting as well as aligned processes with Legal/Compliance – a model case for transparent cyber governance (Swiss CISO Awards / Computerworld).
These examples demonstrate: when CISOs report directly to the CEO or the board and governance mechanisms such as KRIs and clear interfaces with Legal and Finance are implemented, transparency increases and the organisation’s capacity to act improves.
What boards and CEOs expect — and what is missing
Boards are increasingly demanding two things: clear, business-relevant metrics and proof that, for example, resilience tests are carried out. Reality, however, is marked by perception gaps: only a portion of boards recognise the CISO’s role as an enabler, while CISOs are even less likely to share this self-perception (CISO Report 2025).
Board-level best practices include regular, concise decision dashboards, scenario-based briefings, clearly defined responsibilities for reporting obligations and the inclusion of external assessments (resilience tests). These elements address both governance and liability issues, which are intensified by NIS2/DORA and national requirements.
