CISOs are confident in the fundamentals but concerned about AI and supply chain

AI Basics


LevelBlue published research suggesting that while many chief information security officers believe they are effective in core security areas, they lack confidence in defending against AI-driven attacks and managing software supply chain risk.

The report is Persona Spotlight: CISOsurveyed cybersecurity leaders about the role of security in preparedness, governance, and broader business decisions. We also looked at how CISOs are assessing emerging threats such as deepfakes and other AI-enabled techniques.

The survey results show that 60% of CISOs rate themselves as very capable in cyber resiliency, core security operations, and collaboration with the broader business. This shows that its role extends beyond traditional security functions into broader risk and governance discussions.

Many security leaders also see commercial benefits. 61% say an adaptive cybersecurity approach allows companies to take on greater innovation risks.

Ready for AI

Trust decreased when respondents considered the threat posed by AI. Only 53% said they felt prepared to defend against an “AI-identified enemy.”

The survey also suggests that many organizations expect AI-related attacks to become a near-term operational issue. 45% of CISOs said they expect AI-powered or deepfake attacks to impact their organization within the next 12 months.

LevelBlue identified the gap between expectations and readiness as a sign of shifting priorities as generative AI tools become widely available, and a potential pressure point for boards and executives considering investment planning and management.

shared ownership

This research suggests that cybersecurity is increasingly being treated as an organizational responsibility, rather than a specialized department operating in isolation. 52% of senior executives said they are less likely to treat cybersecurity as a silo than they were a year ago.

Despite this change, internal coordination remains an issue. Only 45% of CISOs say their business risk appetite is effectively aligned with cybersecurity risk management.

Budget integration is another gap, with 37% saying their cybersecurity budget is built into projects from the beginning.

Governance is also an issue. 60% cite lack of understanding of cyber resilience by governance teams as a key barrier, along with unclear ownership.

There are signs that efforts are being made to establish consistent measures across sectors. 55% said cybersecurity is increasingly being treated as a shared leadership responsibility with defined KPIs and metrics.

Communication also scored relatively well, with 57% reporting effective communication between their security team and the organization as a whole.

However, few respondents believed that their culture was mature. Only 43% say their organization has a truly effective cybersecurity culture, reflecting continued gaps in education, governance, and accountability.

supply chain gap

This study highlights software supply chain exposure as an area where perceptions may not match recent attack patterns. Only 31% of CISOs say they believe their biggest security risks come from the software supply chain.

When it comes to increasing visibility, 25% said assigning trust levels to suppliers is a priority. LevelBlue argued that limited visibility into suppliers and third parties can create cascading risks beyond an organization’s direct control.

The findings come amid continued regulatory scrutiny of cyber resilience and third-party risk management. Many jurisdictions now expect organizations to demonstrate supplier oversight, incident response plans and governance processes, and boards are expected to demonstrate active engagement.

The study also suggests that there is an increasing expectation that the CISO’s role will bridge technology assurance and corporate decision-making, linking resiliency measures to growth plans and the adoption of emerging technologies.

The central theme is that while organizations are improving their day-to-day security operations, they may be underestimating how quickly attackers can deploy AI tools and exploit supply chain dependencies.

Corey Daniels, Chief Security and Trust Officer at Level Blue, linked resilience investments to corporate ambitions and highlighted the preparedness gap.

“CISOs are no longer just protecting the business, they are actively forgiving the business. Organizations that invest in cyber resilience are better positioned to scale AI, innovate faster, and pursue new opportunities. But to fully unlock that value, leaders must close critical gaps in AI security readiness, software supply chain visibility, and executive alignment,” said Kory Daniels, Chief Security and Trust Officer at LevelBlue.

LevelBlue recommended stronger executive alignment between cyber resilience strategy and measurable business value, stronger alignment between business and security teams, and greater use of external expertise to address specialist challenges. It also called on organizations to prioritize software supply chain risks by identifying urgent risks and making targeted improvements.



Source link