There’s still a version of cybersecurity that lives in the IT department, run by people with technical titles, surfaced to the board only when something breaks. That model stopped working about five years ago. Where it persists, it tends to leave financial and regulatory exposure that boards haven’t priced in and often haven’t been asked about, on top of governance gaps that are increasingly visible to regulators.
Cybercrime cost the global economy approximately $10.5 trillion in 2025, per Cybersecurity Ventures, and analysts project that figure approaching $12.2 trillion annually by 2031. The companies absorbing those losses are largely well-resourced organizations that treated security as a technical function for too long.
The Threat Surface Changed Faster Than the Org Chart
Three developments have made this structural mismatch acute. The first is AI. Organizations are deploying AI across products and operations at a pace that consistently outstrips their security posture. New attack surfaces are being created faster than most security teams can assess them, while adversaries are simultaneously using AI to automate reconnaissance, accelerate attack cycles, and adapt in real time to defensive responses
Related: How to Structure a Security Organization by Stage, Risk Profile, and the Bench Beneath the CISO
The second is the normalization of ransomware and third-party risk. Industry research indicates that ninety-three percent of businesses report experiencing at least one ransomware or extortion attempt in the past 24 months. And an attack doesn’t need to hit your own infrastructure to affect operations: a compromised cloud vendor or critical partner can produce identical downstream consequences. Third-party risk is no longer separable from internal security posture.
The third is geopolitical volatility. State-aligned threat activity, sanctions enforcement, and shifting export controls are pulling cybersecurity into questions that used to sit with general counsel or government affairs. The smartest organizations are acting on a simple reality: they know there are gaps they cannot see. That uncertainty is driving more executive-level security hiring as companies look for leaders who can anticipate what the next three to five years may demand and build the posture to meet it.
What Governance Requires Now
The SEC’s cybersecurity disclosure rules formalized what many board members had already intuited: cyber incidents are material events with explicit disclosure obligations that require board-level oversight. Boards now carry formal oversight responsibilities for cybersecurity risk, and organizations without a qualified CISO (or with one who lacks the communication fluency to brief a board in business terms) are exposed in ways that are increasingly visible to regulators and investors. Related: The CISO Mandate Isn’t One-Size-Fits-All: How the Role Changes Across VC, PE, and Public Companies
Nearly half of organizations anticipate board-driven changes in executive responsibilities around cybersecurity in the near term. The direction is clear: security is being elevated from a technical function to an executive accountability with direct lines to the CEO and the board.
What a Prepared Organization Looks Like
An organization that has addressed this shift has a CISO who reports into the executive team with direct lines to the CEO and the board, with the executive standing the role now requires. Top candidates increasingly screen for this before accepting a role, and boards that require meaningful cyber oversight need it structurally. It has a defined security organization with clear ownership of engineering, governance, product security, and incident response. And it has a CISO who can walk into a board meeting and translate technical exposure into business risk in terms that support informed decisions.
Three things separate the companies that get through an incident from the companies whose Wikipedia page leads with one: mandate, structure (the CISO and the VP layer beneath them), and a CISO who can communicate.
The Starting Point
If the answer to ‘where does our CISO sit and what are they accountable for’ is unclear, that’s the starting point. The 2026 CISO Hiring Blueprint covers how to define the CISO function, what the modern mandate requires across company stages, and how to assess whether your current security leadership is positioned to meet it.
The 2026 CISO Hiring Blueprint covers the full org design framework by company stage.
Frequently Asked Questions
What should boards know about cybersecurity risk in 2026?
Cyber risk is now enterprise risk with board-level accountability. The SEC’s disclosure rules treat cyber incidents as material events requiring board oversight, so boards carry formal responsibility for cybersecurity risk. Organizations without a qualified, board-fluent CISO are exposed in ways increasingly visible to regulators and investors.
What does a prepared organization look like?
It has a CISO who reports into the executive team with direct lines to the CEO and board, a defined security organization with clear ownership across engineering, governance, product security, and detection, and a CISO who can translate technical exposure into business risk in terms a board can act on.
Why is cyber risk now a board-level issue?
Three forces converged: AI is creating new attack surfaces faster than teams can assess them, ransomware and third-party risk have normalized, and geopolitical volatility is pulling security into questions once owned by general counsel. Cybercrime cost the global economy roughly $10.5 trillion in 2025.
Related: How to Structure a Security Organization That Scales
About Riviera Partners
Riviera Partners is a global executive search firm focused exclusively on technical leadership, including product, engineering, IT, AI/ML/Data, and cybersecurity.