CISOs confident on basics but fear AI & supply chain

LevelBlue has published research suggesting many Chief Information Security Officers see themselves as effective in core security disciplines, but are less confident about defending against AI-driven attacks and managing software supply chain risk.

The report, Persona Spotlight: CISO, surveyed cybersecurity leaders on preparedness, governance, and the role of security in broader business decision-making. It also examined how CISOs assess emerging threats such as deepfakes and other AI-enabled methods.

The findings show 60 per cent of CISOs rate themselves as highly competent in cyber resilience, core security operations, and collaboration with the broader business. This points to a role that extends beyond traditional security functions into wider risk and governance discussions.

Many security leaders also see a commercial benefit: 61 per cent said their adaptive cybersecurity approach enables the business to take greater innovation risks.

AI readiness

Confidence dropped when respondents considered AI-driven threats. Just 53 per cent said they feel prepared to defend against "AI-authorised adversaries".

The survey also suggests many organisations expect AI-related attacks to become a near-term operational issue. Forty-five per cent of CISOs said they expect AI-powered or deepfake attacks to affect their organisations within the next 12 months.

LevelBlue framed the gap between expectations and preparedness as a sign of shifting priorities as generative AI tools become widely available, and as a potential pressure point for boards and executive teams reviewing investment plans and controls.

Shared ownership

The research suggests cybersecurity is increasingly treated as an organisational responsibility rather than a specialist function operating in isolation. Fifty-two per cent of senior executives said they are less likely than a year ago to treat cybersecurity as a silo.

Despite that shift, internal alignment remains an issue. Only 45 per cent of CISOs said business risk appetite is effectively aligned with cybersecurity risk management.

Budget integration is another gap: 37 per cent said cybersecurity budgets are embedded into projects from the start.

Governance is also a challenge. Sixty per cent cited governance teams' lack of understanding of cyber resilience as a key barrier, alongside unclear ownership.

There are signs of progress in efforts to establish consistent measures across departments. Fifty-five per cent said cybersecurity is increasingly treated as a shared leadership responsibility with defined KPIs and metrics.

Communication also scored relatively well, with 57 per cent reporting effective communication between security teams and the wider organisation.

However, fewer respondents viewed their culture as mature. Only 43 per cent said their organisation has a truly effective cybersecurity culture, reflecting continued gaps in education, governance, and accountability.

Supply chain gaps

The research highlighted software supply chain exposure as an area where perception may not match recent attack patterns. Only 31 per cent of CISOs said they believe their greatest security risk could originate from the software supply chain.

On improving visibility, 25 per cent said assigning confidence levels to suppliers is a priority. LevelBlue argued that limited visibility into suppliers and third parties can create cascading risk beyond an organisation's direct control.

The findings come amid ongoing regulatory scrutiny of cyber resilience and third-party risk management. Many jurisdictions now expect organisations to demonstrate oversight of suppliers, incident response planning, and governance processes, with boards expected to show active involvement.

The research also suggests the CISO role is increasingly expected to bridge technical assurance and enterprise decision-making, linking resilience measures to growth plans and emerging technology adoption.

A central theme is that organisations may be improving day-to-day security operations while underestimating how quickly adversaries can adopt AI tools and exploit supply chain dependencies.

LevelBlue Chief Security & Trust Officer Kory Daniels linked resilience investment to corporate ambitions and highlighted gaps in preparedness.

"CISOs are no longer just protecting the business, they are actively letting it. Organisations that invest in cyber resilience are better positioned to scale AI, innovate faster, and pursue new opportunities. But to fully unlock that value, leaders must close critical gaps in AI security readiness, software supply chain visibility, and executive alignment," said Kory Daniels, Chief Security & Trust Officer, LevelBlue.

LevelBlue recommended stronger executive alignment between cyber resilience strategy and measurable business value, deeper collaboration between business and security teams, and greater use of external expertise for specialist challenges. It also urged organisations to prioritise software supply chain risk by identifying urgent exposures and making targeted improvements.