CISOs confident in cyber skills but lag on AI threats

LevelBlue has published new research pointing to a confidence gap among Chief Information Security Officers (CISOs) on AI-related threats, despite strong self-assurance in core cyber resilience and security operations.

Its CISO Persona Spotlight report found that 53% of CISOs feel prepared to defend against AI-enabled adversaries. At the same time, 45% expect AI-powered or deepfake attacks to affect their organisations within the next 12 months.

The results also suggest many security leaders see their role extending beyond defensive work. Nearly two-thirds of CISOs (60%) rated themselves as highly competent in cyber resilience, core security operations, and collaboration with the wider business. Another 61% said their adaptive cybersecurity approach allows the business to take greater innovation risks.

AI readiness

The report describes AI as a fast-moving area where confidence lags behind expectations of near-term impact. It links preparedness to defending against AI-enabled adversaries and to the anticipated rise of synthetic media and impersonation techniques such as deepfakes.

Boards and regulators have increased scrutiny of security leaders following high-profile breaches and disruptive attacks. The data suggests that awareness does not automatically translate into operational readiness in fast-evolving areas such as AI-generated fraud, social engineering, and automated reconnaissance.

Many organisations also struggle to set clear ownership and decision-making structures for security programmes. Nearly two-thirds of CISOs (60%) cited governance teams' lack of understanding of cyber resilience as a key barrier, and the report also flagged unclear ownership as an obstacle.

Business alignment

The research also highlights ongoing challenges aligning cyber strategy with business risk decisions and funding models. Only 45% of CISOs said cyber strategy aligns with business risk appetite, and just 37% said cybersecurity budgets are embedded into projects from the start.

These figures suggest security teams often have to negotiate for resources after business priorities and technical designs are already set. That can slow control implementation and make it harder to measure cyber risk alongside operational and financial risks.

Even so, the report indicates progress in integrating security leadership into broader management structures. More than half of respondents (55%) said cybersecurity is increasingly treated as a shared leadership responsibility with defined KPIs and metrics, while 57% reported effective communication between security teams and the wider organisation.

Senior executive attitudes also appear to be shifting. The study found that 52% of senior executives were less likely than a year ago to treat cybersecurity as a silo, pointing to greater recognition of cyber risk as an enterprise issue rather than a specialist function.

Culture remains a sticking point. Only 43% of CISOs said their organisation has a truly effective cybersecurity culture, leaving a majority where behaviours and incentives may not match formal policies and technical controls.

Supply chain risk

Software supply chain exposure emerged as a potential blind spot. Only 31% of CISOs said their greatest security risk could originate from the software supply chain, and just 25% said assigning confidence levels to suppliers is a priority for improving supply chain visibility.

The findings come amid continued concern about third-party dependencies, open-source components, and supplier access to internal systems. Attackers have used software updates, outsourced service providers, and compromised credentials to reach multiple organisations through a single point of entry.

LevelBlue framed the results as further evidence that the CISO role has expanded and that organisations increasingly link security posture to business outcomes. "CISOs are no longer just protecting the business - they are actively enabling it," said Kory Daniels, Chief Security & Trust Officer at LevelBlue.

Daniels also highlighted areas where organisations fall short:

"Organisations that invest in cyber resilience are better positioned to scale AI, innovate faster, and pursue new opportunities. But to fully unlock that value, leaders must close critical gaps in AI security readiness, software supply chain visibility, and executive alignment."

LevelBlue recommended strengthening executive alignment, deepening collaboration between business and security functions, drawing on external expertise where needed, and prioritising software supply chain risk by identifying urgent exposures and making targeted improvements.

The report adds to a growing body of industry research suggesting boards and executive teams increasingly accept cybersecurity as a strategic risk, while organisations still struggle to execute in emerging threat areas and manage suppliers and complex technology estates.

LevelBlue provides managed security services, consulting, and threat intelligence. Its ongoing research programme examines how cybersecurity leaders respond to shifting threats and governance demands.