CISOs express strong confidence in core cybersecurity capabilities but feel underprepared for AI-driven threats
There’s a confidence paradox happening right now in cybersecurity. Most Chief Information Security Officers (CISOs) feel they have their core systems under control. They say they’re ready on cyber resilience, well-coordinated on operations, and aligned enough with the business. This makes sense, traditional models of defense have been tested and refined over decades. CISOs know the basics, and they’re built to handle the predictable.
But here’s the thing: AI-driven threats aren’t predictable. And that’s where things break down. According to new data from LevelBlue, while 53% of CISOs think they’re ready to defend against AI-powered adversaries, 45% already expect to be attacked with deepfakes or AI-driven techniques in the next year. That’s almost half expecting to get hit soon, while barely over half feel equipped to stop it. Confidence is outpacing reality.
These attacks don’t play by the old rules. AI-enabled threats adapt. They generate false media content, impersonate real people, and automate reconnaissance. That kind of speed and mimicry is new. So it’s not surprising that preparedness lags behind awareness.
This is a signal to business leaders: You can’t rely on existing frameworks to protect your organization from next-generation threats. You need to expand your security playbook now, before attackers force you to. There’s opportunity here. Being early on AI defense gives your company an edge. Fall behind, and you open the door to risk and reputation damage.
Governance and leadership alignment gaps are hindering effective cybersecurity strategy execution
Strategy fails at the intersection of leadership and execution. It does no good for security teams to build strong defenses if leadership isn’t synced. And right now, that syncing isn’t where it needs to be. The problem isn’t always technology, it’s structure and timing.
According to LevelBlue, 60% of CISOs say governance teams still don’t fully understand cyber resilience. That means security programs are often operating in silos, disconnected from executive priorities. Just 45% of CISOs report that their strategy is aligned with how much risk their business is willing to take. Worse, only 37% said security budgets are built into projects from the start. This push-and-pull dynamic forces cybersecurity teams to play catch-up, applying controls after the fact, instead of leading proactive prevention.
And time is a factor. When security isn’t built in from day one of a project, you’re dealing with last-minute fixes. That costs more, slows innovation, and limits the ability to protect data and systems efficiently. It also blocks accurate measurement of cyber risk against operational and financial performance, which is what C-suite stakeholders actually need to make smart decisions.
If you want to innovate fast and scale securely, this has to change. Cybersecurity must be embedded early and often into executive-level decision-making. The responsibility sits with us: the leadership. Assign clear ownership. Bring CISOs into strategic planning, not afterthought reviews. And make sure governance teams have the knowledge to engage, not just sign off. Strong alignment here doesn’t just protect operations, it speeds them up.
Integration of cybersecurity leadership into broader business structures is showing encouraging progress
We’re seeing clear movement in the right direction, cybersecurity is starting to take its place at the executive table. More than half of CISOs surveyed in LevelBlue’s report said cybersecurity is now treated as a shared leadership responsibility, with defined performance metrics. That’s important. It signals that cyber is being recognized not just as a technical discipline, but as a strategic pillar of business resilience and continuity.
This shift is overdue. The classic model of CISOs working in isolation from other business functions isn’t sustainable. Threats today impact every area of the company, from legal to operations to CFO-led risk modeling. Strong communication between security teams and broader leadership (which 57% of CISOs say they now experience) is a foundational step toward sustainable protection and smarter business strategy.
Senior executive attitudes are also changing. The report notes that 52% of senior leaders are less likely now than a year ago to treat cybersecurity as a “siloed” function. This isn’t just cultural, it’s a response to market conditions. Breaches are more visible. Regulators are watching. Partners and customers are asking tougher questions. So, this broader engagement with the CISO role is both a necessity and a competitive node.
What matters here is speed and consistency. As cyber becomes a shared responsibility across leadership, you need clear metrics, ongoing collaboration, and collective ownership of outcomes. That means creating room for cross-functional planning, funding security from the start, and making cyber performance as easy to review as a financial report. The companies getting this right are accelerating while lowering risk at the same time.
A robust cybersecurity culture remains elusive, despite structural improvements
Culture is stubborn, it doesn’t shift just because the organization chart does. Despite progress in executive alignment, strong metrics, and integrated governance, many companies still lack the internal culture needed to make cybersecurity stick. In LevelBlue’s findings, only 43% of CISOs say their organization has a truly effective cybersecurity culture.
That means most companies still deal with misaligned behaviors, inconsistent employee practices, and security policies that exist more on paper than in reality. You can have all the right tools and procedures in place, but without buy-in across teams, especially in day-to-day workflows, you create vulnerability.
Executives need to understand: culture is a performance lever. It’s where risk builds or decreases. When your teams believe that cybersecurity is everyone’s responsibility, you see fewer mistakes, faster escalation of potential threats, and a stronger sense of ownership. But this doesn’t happen automatically. You have to build it deliberately, through incentives that align with behaviors, through accessible training, and via clear feedback loops between leadership and operations.
This is the kind of internal dynamic that gives organizations long-term resilience. Without it, even highly capable security leaders can’t generate consistent outcomes. The structure is important, but it’s the culture that makes it work. And if the majority of CISOs still say the culture isn’t there, that’s a signal business leaders need to act on now.
Software supply chain risks are significantly under-prioritized despite growing threats
The software supply chain remains a weak link for many companies. CISOs know it’s exposed, but that’s not translating into action. According to LevelBlue, only 31% of CISOs see the software supply chain as their greatest security risk, and just 25% are actively assigning confidence levels to suppliers. That’s a problem, and it’s not a small one.
Third-party components are everywhere, in vendor platforms, cloud services, and open-source libraries. And attackers have figured out that compromising one supplier can give them quiet access to dozens, sometimes hundreds, of organizations. This has already played out in high-profile cases, with attackers gaining access through manipulated updates or subcontractor credentials. The data tells us this threat model is real and scaling.
The gap here comes down to prioritization. Security leaders are stretched. They’re focused on AI, internal operations, compliance, a growing and complex agenda. But that doesn’t excuse overlooking supplier risk. Without structured visibility into who’s inside your ecosystem, what access they have, and how they’re secured, blind spots multiply fast.
From a leadership perspective, this demands budget, focus, and operational clarity. Supplier assessments must move from compliance exercises to active risk management programs. Confidence scoring, mandatory testing protocols, and continuous monitoring need to become standard, not optional.
The companies that lead here won’t just prevent breaches, they’ll also be in a stronger position with regulators, enterprise customers, and investors. Security in the supply chain is now part of business credibility. And pretending it’s not critical is no longer defensible.
CISOs are evolving into business enablers, actively supporting innovation while managing cyber risks
Security is no longer about just saying “no” to risk, it’s about enabling the right kind of risk to move faster. That’s a shift, and it’s happening now. LevelBlue’s report shows that 61% of CISOs believe their adaptive approach to cybersecurity is directly helping their organizations take on more innovation.
This is a practical evolution. CISOs aren’t just putting up barriers anymore; they’re shaping digital strategy, supporting faster deployments, and helping product and engineering teams launch securely. The mindset has moved from control to collaboration. The job isn’t to stop the future from happening, it’s to make it safer to build.
But enabling the business doesn’t mean loosening standards. It means embedding security at the start, aligning cyber with product development, M&A, and AI strategy upfront. It also means adopting flexible architectures and tooling that evolve with changing threat landscapes without slowing progress. That balance is hard but necessary.
To fully capture the upside, the gaps, AI readiness, supply chain risk, fragmented governance, have to be closed. That takes direct involvement from the top. Boards and executives need to understand cybersecurity not as a cost center but as a capacity builder. Ask your CISO what they need to help the company move faster. Allocate those resources with the same urgency you’d apply to product or revenue operations.
As Kory Daniels, Chief Security & Trust Officer at LevelBlue, puts it: “CISOs are no longer just protecting the business, they are actively enabling it.” That’s the future of security leadership. It’s dynamic, it’s cross-functional, and when done right, it turns cybersecurity into a driver of competitive advantage.
Key takeaways for decision-makers
- CISO confidence vs AI readiness: CISOs are highly confident in traditional cyber defense but underprepared for AI-driven threats like deepfakes and autonomous attacks. Leaders should invest in specialized AI threat capabilities to close this readiness gap quickly.
- Governance and strategic misalignment: Cybersecurity strategies often misalign with business risk appetite and funding cycles. Executives should embed security planning and budget decisions earlier in project timelines to reduce risk and eliminate last-minute controls.
- Security’s growing role in leadership: Cybersecurity is increasingly recognized as a shared leadership responsibility, with more executives integrating CISOs into strategic decisions. To accelerate this shift, leaders should align KPIs across business and security teams.
- Cultural gaps in cybersecurity: Despite structural gains, most organizations still lack a strong cybersecurity culture. Business leaders should drive consistent behaviors by aligning incentives, daily practices, and accountability with formal security policies.
- Overlooked software supply chain risk: Few CISOs consider the software supply chain their top risk, despite rising third-party vulnerabilities. Decision-makers should prioritize supplier assessments and implement confidence scoring to mitigate external access points.
- CISOs as business enablers: CISOs now play a key role in enabling innovation through adaptive security models. Leaders should recognize this shift and fund cybersecurity as a growth enabler, not just a risk function, especially as AI and digital transformation accelerate.
