The Numbers Are Stark: A Leadership Disconnect
More than three-quarters of cybersecurity chiefs believe the executives they report to simply do not grasp the real-world dangers their employees face online. That is the headline finding from a new report by MetaCompliance, released July 9 and based on a survey of over 200 CISOs across Europe. Specifically, 78% said C-level leaders lack a full understanding of the cybersecurity risks tied to everyday employee behavior.
This disconnect comes at a particularly dangerous moment. Workers are being hammered by phishing attacks, and the rapid rise of generative AI has given attackers powerful new tools to craft convincing scams. The result? A growing tension between the security teams on the front lines and the boardroom above them.
Why the Boardroom Gap Matters Now More Than Ever
It is not just a matter of bruised egos. This CISO executive cybersecurity gap has real consequences. According to the survey, 79% of CISOs said executive support for security awareness initiatives fades over time. Initial enthusiasm for a new training program or a security push evaporates, leaving cybersecurity leaders to fight evolving threats with dwindling backing from above.
That lack of sustained support makes it far harder to protect the organization. Employees remain the weakest link, and the threats are getting smarter. AI-based social engineering attacks have become increasingly sophisticated and scalable. As James Mackay, CEO of MetaCompliance, put it: “Attackers are no longer relying on obvious scams or poorly written phishing emails. They can now create highly convincing impersonation attempts, social engineering attacks and fraudulent communications at scale.”
Mackay added that the situation demands something more than a one-off training session. “Human cyber risk is no longer just an awareness issue or a training issue; it is a strategic business risk,” he said. “But our research shows that many CISOs are still trying to drive change without consistent senior support, clear ownership or a shared understanding of the risk across the business.”
Confidence Is Dropping — and AI Is a Big Reason Why
The survey reveals that half of CISOs now feel less confident in their organization’s cyber resilience than they did just 12 months ago. The primary culprit? The rise of highly sophisticated, AI-driven attacks. These are not the clumsy phishing emails of yesteryear. Modern attacks use large language models (LLMs) and AI agents to mimic real colleagues, vendors, or executives with startling accuracy.
This erosion of confidence is a red flag for any organization. When the person responsible for security starts to doubt the company’s defenses, the entire posture is weaker. And the problem is compounded by internal fragmentation.
Fragmented Policies and Siloed Thinking
Another reason CISOs are struggling, according to the report, is a lack of joined-up thinking across the business. Different departments often operate under different security policies, creating gaps and inconsistencies. One team might have strict access controls, while another takes a lax approach. This inconsistency can lead directly to data loss or a full-blown incident.
The rise of generative AI in the workplace has only deepened this chaos. A worrying 40% of the CISOs surveyed said they fear employees are sharing sensitive information with public generative AI platforms like ChatGPT. This kind of shadow use can result in serious data breaches or privacy violations, and it often happens without the knowledge of the IT or security team.
What Needs to Change: Sustained Executive Backing
Fixing this problem is not about buying a new tool or running another phishing simulation. It requires a fundamental shift in how the board views cybersecurity. The CISO can no longer be a lone voice in the wilderness. Executives need to treat human cyber risk as a core business risk — one that demands ongoing attention, not just a quarterly check-in.
Mackay summed it up bluntly: “If leadership support fades after the initial push, organisations are left exposed. Building resilience against AI-enabled threats requires sustained executive backing, better stakeholder alignment and a more intelligent, behaviour-led approach to managing human cyber risk.”
For CISOs, the takeaway is clear. Bridging the CISO executive cybersecurity gap is not optional; it is survival. Without a shared understanding at the top, even the best security strategy will eventually fall apart. And with AI-powered social engineering growing more convincing by the day, the cost of that disconnect is only going to rise.