The Personal Impact of Compliance on CISOs in 2025

Compliance is nothing new for CISOs. Security leaders and professionals have been regularly handling regulations such as PCI DSS, Sarbanes Oxley, HIPAA, and other mandates for well over two decades.

What is new, however, is the increased stakes for CISOs and boards alike. Globally, compliance regulations such as the SEC ruling in the U.S. in 2023 and Europe’s NIS2 and DORA are both more draconian and enforceable than past mandates, requiring significantly narrower reporting windows while imposing heftier fines and harsher legal penalties. Similarly, HIPPA updates in 2024 strengthened Privacy Rule protections for reproductive health data, while a proposed 2025 Security Rule update introduces stricter cybersecurity requirements to safeguard the U.S. healthcare system from growing cyber threats.  While boards are accountable to shareholders and responsible for enterprise risk, much of the legal liability from compliance violations often falls squarely onto CISOs shoulders.

In this year’s CISO Report: The path to digital resilience starts with your board, we highlight the changing regulatory environment, how CISOs and boards are approaching these new challenges, and some of the disconnects between boards’ perceptions and CISOs’ reality on the ground. Below are a few of the findings.

CISOs and boards have more at stake

Compliance has a different meaning to boards and CISOs than it did even just a few years ago. For CISOs, consequences for violations include regulatory scrutiny, legal liability, steep financial penalties, and the possibility of losing their jobs. In the worst-case scenarios, they could even face jail time. “I think enforcement has trended up compared to years ago when HIPAA was more of a suggestion than something that was actually enforced. It’s because of board awareness and the overall general population awareness, the number of breaches that get reported,” said Bruce Foreman, CISO at UMass Memorial Health.

And CISOs are feeling the pressure on all sides — from regulators to their organization’s leadership. Making matters more complicated, 21% of CISOs also reported they have been pressured by their organization not to report a security or compliance incident, further jeopardizing their jobs, reputation, and organizations. Staying on top of compliance isn’t just a box to check — it’s a constant balancing act of enforcing security measures, avoiding legal pitfalls, and keeping data safe.  Encouragingly, however, the majority of CISOs surveyed are willing to do the right thing in the face of malfeasance — 59% said they would become a whistleblower if their organization was ignoring compliance requirements.

In addition to being more personal, compliance has become more involved for CISOs, requiring greater resources for security teams, more collaboration throughout the organization, comprehensive crisis management and media strategy, and, of course, the support of the board.

These new dynamics have compelled 57% of CISOs to rank depth of knowledge on regulations and compliance among their most important skills to develop — and 44% of board members agree. In short, CISOs can’t regard regulatory requirements as “check-box” items.

And it’s not just CISOs who are under fire — boards are also feeling the pressure from compliance mandates. Regulatory scrutiny and the fallout from negative press can wreak havoc on an organization’s brand and reputation, which has the potential to sink stock prices and weaken the confidence of shareholders.

These realities are likely felt throughout the organization. So, it’s hardly surprising that 69% of board members said that growing compliance pressures have made being a member of the board more difficult. They’re not wrong — 37% of CISOs cite a lack of compliance with regulatory requirements as the driving factor behind their most recent cyber attack.

“I don’t want to be the next CISO to be sued by the SEC. This is why we are asking for resources, why we are pushing the company to change, and because this is the world we are living in now. Will we be hit by an incident one day that will really impact us? The response is yes,” said a CISO of a large multinational telecom company.

Boards and CISOs take different approaches to compliance

While boards and CISOs agree that compliance is important, the similarities might end there. While 42% of board members believe CISOs spend an extensive amount of time and effort on regulatory activities, only 29% of CISOs say that is the case. After all, when overseeing their organization’s security strategy, compliance is only one of the many things they work on.

CISOs also don’t necessarily think compliance metrics are the best way to gauge performance. Only 15% of CISOs ranked compliance status as a top performance metric, a significant disconnect compared to 45% of boards who felt it was a strong measure of their success.

These disconnects are costly, compelling CISOs to question the effectiveness of their programs. Due to the current threat and regulatory environment, 64% of CISOs say they’re concerned they’re not doing enough to protect the organization, and 54% of board members feel the same way.

CISO-board alignment requires communication — and due diligence

So, how can CISOs and boards become more aligned on compliance strategy? First, understand that boards may not fully realize or understand the work to achieve compliance, especially in a much more rigorous environment.

That’s where CISOs come in. It’s up to us to educate our boards about what our teams need to keep the organization compliant. In a more punitive regulatory environment, we also need to prepare. That means knowing our personal liability and ensuring we meticulously document all ll compliance activities and events. We also need to make the business case for compliance, showing how these investments cut long-term costs, from avoiding legal fees to reducing breach remediation expenses. By prioritizing compliance based on risk impact, we can focus on the most critical threats to the business. And we need to tie compliance directly to strategic goals—if the board is focused on cloud transformation, for example, we must show how compliance enables and strengthens that initiative.

We should also know what boards expect from us during a crisis. This requires CISOs to articulate risks to the board early and often. Technical risks should be framed in business terms—how they affect financial impact, reputational damage, and operational efficiency — so leadership can make informed decisions. Make sure all parties agree on expectations before an incident occurs, not in the middle of a crisis. And codify those agreements and your responsibilities in writing.

Ultimately, using metrics that matter to boards makes conversations more impactful. Presenting KPIs, such as cost savings from regulatory penalties avoided, or using a compliance dashboard with clear, visual insights helps bridge the language gap and demonstrates how CISOs support strategic goals.

When it comes to compliance, there’s no such thing as “too careful.” But with consistent communication and transparency, your board can be an ally in overcoming new and unforeseen compliance hurdles that come your way.

Download The CISO Report for more insights from CISOs and boards on security priorities, budgets, and generative AI.