Risk Management

CISOs worldwide have gained more authority and influence in corporate governance structures across the globe, according to a 2025 report from Splunk. 

More than 8 of every 10 CISOs now report directly to company CEOs, compared with less than half just two years ago. In addition, about 8 in every 10 CISOs participate in board meetings somewhat often or most of the time, the study found.

The report, produced in conjunction with Oxford Economics, is based on a study of 600 respondents from 10 countries in the U.S., Europe and Asia-Pacific. The respondents consist of about 500 CISOs, CSOs or equivalent security leaders and 100 board members. The report examines the dynamic of how the CISO role has evolved in corporate leadership teams across the globe.

Escalating threats of cyber breaches and malicious attacks on corporate operations and financial performance have led to CISOs gaining greater influence over cyber-risk management decisions. 

“CISOs are responsible for managing risk and ensuring that the organization’s security posture is aligned with its business objectives,” Splunk CISO Michael Fanning said via email. 

Corporate boards and C-suite leaders are often better prepared to deal with the impact of cyberattacks when they are informed and better aligned with CISOs about corporate cyber risk, according to the report.

In previous years CISOs have had to work through multiple layers of management to get access to the CEO, and rarely interacted with board members. 

Before leaving her post, former Cybersecurity and Infrastructure Security Agency Director Jen Easterly urged corporate leaders to embrace cyber risk as a core business issue. Easterly had repeatedly asked corporate leaders to prioritize cyber risk during her tenure in the Biden administration. 

The Securities and Exchange Commission revamped an anti-fraud unit to protect retail investors in emerging technologies, reflecting the Trump administration’s evolving approach to cryptocurrency and cybersecurity.

The Cyber and Emerging Technologies Unit, led by Laura D’Allaird, will have about 30 fraud specialists from across the agency and replaces the Crypto Assets and Cyber Unit. The revised CETU will complement a crypto task force launched in January of 2025 under the leadership of Commissioner Hester Peirce.

“The unit will not only protect investors but will also facilitate capital formation and market efficiency by clearing the way for innovation to grow,” Acting SEC Chairman Mark Uyeda said in a statement. “It will root out those seeking to misuse innovation to harm investors and diminish confidence in new technologies.”

The reconfigured anti-fraud unit is part of an effort to streamline the oversight of new technologies by the Trump administration. 

SEC cybersecurity rules

SEC actions to regulate cybersecurity had been the subject of fierce debate under former Chairman Gary Gensler, who backed aggressive measures to get companies to report material data breaches and update investors on risk mitigation strategies.

D’Allaird was promoted to co-chair of the Crypto Assets and Cyber Unit in December 2024.

The CETU will prioritize a number of areas related to cyber disclosure, emerging concerns about artificial intelligence and machine learning, and fraud related to blockchain technology and crypto assets. 

“Consistent with the administration’s oft-stated intentions to attract the crypto industry and reduce regulatory hurdles, the new unit appears to signal a shift away from targeting industry players to broader cybercrimes or issues that affect retail investors regardless of industry vertical,” said Aloke Chakravarty, a partner at Saul Ewing and a former assistant U.S. Attorney for the district of Massachusetts.   

Coinbase in February said staff at the SEC has agreed in principle to drop charges against the company, pending Commissioner approval.

Michael Lowe, a partner at Troutman Pepper Locke, said the unit is part of a shift away from the SEC treating all digital assets as “securities.” However, Lowe does not expect any major change in how the agency enforces cyber disclosure rules. 

Sponsored content

By CSC

At a time when digital perils are escalating daily, even the largest corporations are not immune. According to research by CSC, Forbes Global 2000 companies—among the world’s most influential businesses—exhibit significant gaps in domain security. Evaluations based on eight critical domain security measures reveal year-to-year trends and highlight the urgent need for enhanced fortifications in the face of evolving threats.

A snapshot of domain security measures

The adoption of eight key domain security measures was assessed: certification authority (CAA) records; sender policy framework (SPF); domain-based message authentication, reporting, and conformance (DMARC); DomainKeys Identified Mail (DKIM); registry lock; enterprise-level registrar services; domain name system (DNS) security extensions (DNSSEC); and DNS redundancy. These measures represent foundational protections against dangers like phishing, domain hijacking, and unauthorized modifications.

Despite their importance, utilization rates across the Global 2000 remain inconsistent. Alarmingly, 107 companies scored a zero, meaning they hadn’t implemented any of these measures. This leaves 5% of the Global 2000 highly vulnerable to domain security risks, including phishing schemes, impersonation attempts, and unauthorized domain transfers.

Lookalike domains: A persistent menace

The prevalence of homoglyph domains remains significant—these are lookalike domains designed to mimic legitimate company websites. About 80% of these domains are owned by third parties, not the companies they mimic. Even more concerning, 42% of these domains have email exchange (MX) records, up slightly from 40% in 2023. This capability enables malicious actors to send phishing emails or intercept email communications, creating vulnerabilities for both businesses and their customers.

Industry and regional trends

Notable shifts were observed in domain security by industry. Healthcare equipment and services, which ranked fifth in 2023, fell to twelfth place in 2024. This decline is particularly serious given the healthcare sector's increased targeting by cybercriminals. Conversely, technology hardware and equipment companies improved their standing, climbing from thirteenth place to fifth, reflecting a growing emphasis on securing their digital assets.

Geographically, deployment of domain security measures varied. The region of Europe, the Middle East, and Africa had the highest growth in domain security measures, compared with the Americas and Asia Pacific.

Encouraging progress: DMARC and registry lock

Some bright spots emerged in the findings. Usage of the email authentication protocol DMARC has grown by 32 percentage points since 2020. This growth is understandable, given the record number of phishing incidents reported in 2023 (nearly five million, according to the Anti-Phishing Working Group). DMARC’s ability to defend email domains against spoofing and phishing is proving increasingly vital.

Similarly, registry lock use has grown by seven percentage points since 2020. Despite this progress, overall adoption remains low at just 24%. Registry lock offers a crucial safeguard against accidental or illicit domain modifications, mitigating risks related to third-party interference.

The case for comprehensive domain security

While progress in some areas is evident, a strategic approach to domain security is still lacking in many organizations. The risks are too great for companies to rely on partial measures or assume they’re immune due to their size or influence—if anything, they’re targeted more so for those reasons. Cybercriminals continually evolve their tactics, exploiting gaps in domain security to launch increasingly sophisticated schemes.

These revelations serve as a wake-up call for companies to prioritize domain security. By implementing the recommended measures, organizations can mitigate their exposure to attacks.

Looking ahead

The stakes for domain security have never been higher. As businesses expand their digital footprints, they must think ahead on how to protect their brands, customers, and stakeholders.

For a detailed breakdown of these findings, download our full report here. By understanding the current state of domain security and taking steps to protect themselves, companies can better navigate the evolving threat landscape.

Ransomware is the top organizational cyber risk this year, the World Economic Forum said in its Global Cybersecurity Outlook for 2025. Nearly half of all respondents to the annual global survey said a ransomware attack concerns them the most.

While ransomware ranked as the top cyber risk among CEOs and CISOs, the report found a significant gap in the level of concern between the executive roles. Nearly 1 in 3 CEOs said ransomware is their top cyber risk concern, but more than half of CISOs made the same determination.

Executives in the study expect significant innovations in ransomware attacks, including the continued growth of ransomware-as-a-service models, which further the commoditization of cybercriminal activity. Nearly 3 in 4 chief risk officers said they anticipate severe organizational disruptions from cyber risks and criminal activity.

The report highlights a growing gap in cyber readiness between large enterprises with considerable resources and small organizations with fewer tools and talent at their disposal.

“Amid increasingly independent supply chains, this cyber inquiry is resulting in systemic points of failure with significant consequences for the overall resilience of the ecosystem,” the report said.

Cyber resilience at risk

More than 1 in 3 small organizations said their cyber resilience is inadequate, a sentiment that’s grown sevenfold since 2022, the report found. Conversely, large organizations with more than $5.5 billion in annual revenue cited an improvement in cyber resilience with only 7% describing insufficiencies.

Nearly 3 in 4 cyber leaders told the WEF that small organizations can no longer adequately secure themselves against cyber risks.

Supply-chain challenges, compounded by a lack of visibility and oversight into the security practices of suppliers, are the largest barrier to cyber resiliency, according to more than half of respondents at large organizations.

Fraud from other forms of digital threats, including phishing and business email compromise, ranked as the second-highest cyber risk this year. Respondents ranked supply-chain disruption as the third-highest cyber risk.

WEF’s Global Cybersecurity Outlook survey is based on responses from more than 400 executives from 57 countries.

Cybersecurity risk, including ransomware, data breaches and IT disruptions, remained the top business concern in the U.S. and worldwide over the past year, according to the Allianz Risk Barometer. 

Cyber incidents topped the global list of business risks for the fourth consecutive year, representing more than 1 in 3 of those surveyed in the report. The margin between the top business risks was the widest ever, with a 7% gap between cyber and business interruption, the second largest global concern. 

The report is based on a survey of almost 4,000 risk management experts in 106 countries and territories. The executive respondents include risk managers, brokers, CEOs and insurance experts. 

Three in 5 respondents said data breaches were their top cyber concern, followed by 57% fearing attacks on critical infrastructure and physical assets. 

Cyber resilience

Operational resilience has become a key concern among business leaders, in terms of making sure they can maintain operations in the face of a cyberattack as well as other disruptive events.

Business interruption was the second biggest concern globally, in a year when supply chains were heavily stress tested.

The July 2024 disruption of millions of Microsoft computer systems due to a faulty CrowdStrike software update was a real-world example of how and why IT security issues are a major concern among companies across the globe. 

“While many organizations strive to implement comprehensive strategies for disaster recovery and business continuity, there remains a concern that contingency plans themselves may be overly dependent on technology, highlighting the need for diverse and adaptable solutions,” Michael Bruch, global head of risk advisory services at Allianz Commercial, said in the report.

Ransomware was the leading reason for cyber insurance loss and continues to be a major risk concern among businesses. During the first half of 2024, ransomware accounted for 58% of the value of large cyber-related insurance claims, the report found.

In the 2024 study, cyber replaced business interruption as the top risk concern among U.S. companies.

AI-assisted attacks were the top emerging business risk through the first three quarters of 2024, Gartner said in a report. Four in 5 executives Gartner surveyed named AI-enhanced malicious attacks as the top emerging risk in the third quarter of last year.

The report, based on a survey of 286 senior risk and assurance executives, forecasts potential future risk — scenarios that haven’t been realized by enterprises but could bear a significant impact in time.

The remaining top five most commonly cited emerging risks include AI-assisted misinformation, escalating political polarization, globally consequential risk and a misaligned organizational talent profile.

Worries about threat groups using AI in a meaningful way in cyberattacks continue to outpace reality. Researchers have not identified AI-engineered cyberattack campaigns, but there is widespread speculation that will change.

“I personally don’t see any evidence of it yet. I’m sure it’ll happen but I can’t quite predict how they might use it in the future,” Mandiant Consulting CTO Charles Carmakal said during a media briefing at the 2024 RSA Conference.

The No. 1 concern is that attackers are using AI for social engineering and to overcome language barriers, Mandiant Chief Analyst John Hultquist said during the media briefing.

For now, security leaders at many of the top cybersecurity and enterprise technology firms, including Google Cloud, insist or at least remain hopeful AI will give defenders an advantage over attackers.

In Gartner’s study, AI-assisted misinformation and escalating political polarization were new emerging risks respondents cited, which reflect growing concern and uncertainty about global elections and their potential impact on enterprise.

“While the upcoming U.S. election generates headlines over the candidates’ regulatory, trade and other proposals, organizations have difficulty considering the actual risk implications from the many scenarios that might unfold,” Zachary Ginsburg, senior director of research in Gartner’s Risk and Audit Practice, said in the report.

Discover Financial Services is taking a calculated approach to generative AI. 

From experiments and pilots to use cases across the business, the financial institution evaluates how to best use generative AI by assigning specific guardrails based on risk. The process enables adoption with an unobscured lens to better identify value and prioritize projects, whether the technology is customer-facing or intended for back-office tasks. 

The approach also grants Discover more protection from the outsized risks generative AI brings.

“All of that is meeting our standards, expectations and our policies around that, but it’s still ‘human in the loop,’” Discover CIO Jason Strle told CIO Dive. “That’s a really big part of how we mitigate that risk, [and] that will last for a certain period of time.”

Discover’s risk reduction strategy closely follows the guidance laid out by the National Institute of Standards and Technology, which released a draft of its generative AI risk management framework in July 2024. 

“The NIST AI risk management framework is very, very consistent with financial risk management, non-financial risk management or the operational risk management that banks need to do,” Strle said. “The pattern is very familiar.” 

As enterprises approach generative AI with caution, NIST’s risk mitigation guidance is a jumping-off point for businesses trying to determine the best place to start as the technology rapidly evolves. Even as leaders are eager to reap the potential rewards of wide-reaching, large-scale generative AI integration, they are prioritizing efforts to avoid missteps and shape holistic adoption plans. 

The popularity of the NIST framework is not coincidental. The government agency has worked for years to fortify standards for cybersecurity, which are recognized broadly, and is now setting the stage to become the standards body for generative AI, too. 

An abundance of options

For Discover, Strle distilled NIST’s voluntary framework into three steps: 

• Identify where capabilities create risk.
• Prove the organization understands how to quantify and mitigate the risk.
• Monitor on a daily basis.  

The final version of NIST’s text, which was the result of then-President Joe Biden’s executive order in October 2023, offers just over 200 risk-mitigating actions for organizations deploying and developing generative AI. It's a slimmed down version of the 400 steps in the initial iteration published in April 2024.  

The NIST AI guidance focuses on a set of a dozen broad risks, including information integrity, security, data privacy, harmful bias, hallucinations and environmental impacts. The framework provides organizations with ways to contextualize and mitigate risks. 

To prevent incorrect generated outputs, for example, NIST provides around 19 different actions enterprises can take, such as establishing minimum thresholds for performance and review as part of deployment approval policies. 

NIST is not alone in its effort to provide generative AI adoption guidance.

As vendors rushed to embed generative AI into solutions, industry groups and advocacy agencies worked to clear the confusion around model evaluations, risk management and responsible processes. 

Those efforts have resulted in an abundance of guidelines, policy recommendations and guardrail options, but no single source of truth. 

The International Organization for Standardization released an AI-focused management system standard in December 2023. MIT launched an AI risk database calling attention to more than 700 threats in August 2024 and several professional services firms have created governance frameworks.

Whether the growing list of options made the waters murky for CIOs or is actually helpful depends on who you ask. 

“I don’t think it’s a straightforward answer,” Strle said. Having more ways to mitigate threats is not always inherently productive, so it's up to enterprise leaders to decipher what the business needs to be protected. 

Standing on the sidelines is only an option for so long. 

Executives are contending with tightening regulations on AI around the world, from the European Union’s AI Act to California’s contentious Senate Bill 1047, which California Gov. Gavin Newsom vetoed. The majority of leaders expect stricter requirements in the future, and businesses are reviewing and updating their existing practices to get on track. 

“I have to stay prepared because, eventually, it’s going to make it to the other states,” said Shohreh Abedi, EVP, chief operations and technology officer, membership experience at AAA - The Auto Club Group. The organization has focused on embedding generative AI over the last year, operating across 14 states, a Canadian province, Puerto Rico and the U.S. Virgin Islands. 

“We can’t put our heads in the sand,” Abedi said. 

Where CIOs draw the line

CIOs are growing tired of seemingly empty promises of what generative AI might do and want to turn talk into action. The technology’s laundry list of risks, however, calls for a more meticulous security overview, requiring new frameworks, best practices and training.

While there are hundreds of ways to mitigate generative AI’s risk, technology leaders don’t necessarily need to rush to deploy them all, analysts told CIO Dive.

CIOs should identify the most critical risks, whether it's reputational damage or from an intellectual property perspective, Thomas Humphreys, compliance expert and content manager at Prevalent, said. “Thinking like that will start to help shape which of those mitigation techniques are most useful to a business.”

Protecting intellectual property when using generative AI tools has become a persistent point of contention as ease of access to third-party tools and employee eagerness have led to a proliferation of shadow AI. 

Gartner analysts predict enterprise spending to curb IP loss will hurt ROI and slow adoption in the next two years. 

NIST recommends organizations periodically monitor and address sensitive data exposure. At AAA’s second-largest North America club, Abedi said the organization forbids employees to freely put sensitive information into models or use proprietary data to train models.

“The first thing we said was, you can’t use any of our assets to go do your own generative AI,” Abedi told CIO Dive. “We will be monitoring, and if we see that you’ve done an account off my assets, we’re going to come to you and shut it down.” 

Employees are encouraged to bring forth use case ideas that solve pain points, Abedi said, but the organization isn’t willing to potentially allow unauthorized third-party providers full access to its host of proprietary information. 

That balance was struck after conversations with stakeholders and risk assessments, a strategy NIST highlighted in its guidance as well. 

Understanding risk tolerance

NIST recommends organizations base risk mitigation on their level of risk tolerance as a core governing principle.

“An amicable and acceptable approach will be to first evaluate the business needs where AI is implemented and not just dump all AI risk mitigation guidance as a silver bullet,” said Rahul Vishwakarma, senior member of the Institute of Electrical and Electronics Engineers.

When Discover considers adding generative AI to workflows, the business keeps in mind where it currently draws the line.

“If it’s completely autonomous and it’s answering where the nearest ATM is, that’s one kind of risk profile,” Strle said. “Complete autonomy when you’re making a decision that’s going to affect the customer’s financial livelihood or financial outcomes, well, that’s a very, very high set of risk profiles to manage and we’re not there yet.”

Discover has controls and guardrails in place, but it relies on its workers, who have gone through training and have access to usage policies and procedure guidelines, to distinguish the value of generative AI’s outputs. It’s a tactic NIST recommends in its guidance, too.

“A lot of what we’re doing in the contact center is ‘human in the loop,’ where you can leverage these generative AI capabilities and that’s happening parallel to a contact center agent doing their job,” Strle said. “The final decision is with the human, who’s adhering to all the training and processes.”

When generative AI does have a level of autonomy in a particular use case, CIOs need a plan for what happens if models go awry. For some tech leaders having an off-switch is vital. 

The City of Glendale, Arizona, turned to generative AI to solve a pressing support issue as the city moved to approve a major renovation to its City Hall, according to former CIO and CISO Feroz Merchhiya, who is now the CIO position of the City of Santa Monica, California.  

“I had full control of the data and I had control of the system in terms of if it didn’t work or fired off wrong advice, I could turn it off,” Merchhiya said, referring to the company’s enterprise-focused IT support copilot tool. “And I had a mechanism to rectify the problem by deploying a human resource to solve the problem.” 

Risk mitigation and implementation plans work best when devised together, technology leaders told CIO Dive. 

Strle said Discover's upfront work to understand how to best use generative AI in the contact center was coupled with an assessment of the risks tied to identified use cases.

“All controls that we create — and financial services have to be sustainable over an indefinite period of time — it [must] take into account all the dynamics of the industry in which we operate, which is constantly changing,” Strle said. “The NIST framework is an extension, in my mind, of that same basic pattern.”

Next up for CIOs

While there are enterprises making progress in risk management, studies have shown consistent discrepancies between the number of businesses deploying generative AI and the prevalence of responsible, secure practices. 

Analysts attribute the lag to the quick pace of technological innovation and adoption.

“What I’m seeing with CIOs is that they are more challenged because they are having to make very difficult decisions about technology, even more than they always have because of how quickly these tools, techniques and models are developing,” Rowan Curran, senior analyst at Forrester, said. 

Though it commands enterprise interest, generative AI is still evolving and its best practices are not yet solidified. 

Plus, managing risks isn’t always simple. More than 3 in 5 executives expect to see a significant increase in the level of risk they will be responsible for in the next three to five years, according to a recent KPMG survey. Around 2 in 5 anticipate more than half of their risk management budget will go to technology. 

“There are no prescriptive standards set yet, but these will evolve over time,” Freshworks CIO Ashwin Ballal told CIO Dive. “Right now, it’s like we all have a hammer with AI and we think everything is a nail.”

But a shift is afoot. 

Enterprises are quickly growing tired of experimentation and pilot stages. The hype-filled veil is lifting for early adopters as leaders connect use cases to metrics of success. 

Interest in generative AI has dipped among senior executives and board of directors since the beginning of 2024, according to Deloitte research published in August 2024. 

Fortune 500 companies are also more likely to cite AI as a potential risk factor in securities filings than to highlight its benefits or use cases, according to Arize AI research, which analyzed each business’s most recent annual report.

The dip in enthusiasm comes as most organizations grapple with adoption roadblocks related to tech debt and inadequate infrastructure, on top of risk management. Still, enterprises are hopeful their AI initiatives can deliver results, using frameworks like NIST's suggested actions to curb adoption risks.

“You have to come to the leadership table with recommendations and suggestions,” Curran said. “Be the one that educates about how this technology can make a difference, how it ties to the business goals and what’s the path to get there.”