Skip to main content
CybersecuritySocial Engineering

CISOs Warn of Executive Disconnect on Cybersecurity Risks

CISO stands concerned in office, overlooking blurred boardroom scene.

"AI has changed the context for human risk. Attackers are no longer relying on obvious scams or poorly written phishing emails. They can now create highly convincing impersonation attempts, social engineering attacks and fraudulent communications at scale," said James Mackay, CEO at MetaCompliance.

CISOs say executives do not grasp employee-driven cyber risk

More than three quarters of cybersecurity leaders responding to a MetaCompliance report published on July 9 believe board-level decision makers above them do not understand the cybersecurity risks associated with how employees act in the workplace. The report, based on responses from over 200 CISOs across Europe, found 78% of those surveyed said C-level executives do not fully understand cybersecurity risks.

That perceived gap in understanding is not academic. CISOs told the researchers that diminished executive attention and inconsistent senior backing are creating practical barriers to building organisational resilience against evolving threats.

Leadership support for awareness initiatives fades, CISOs report

According to the survey, 79% of CISOs said leadership support for security awareness initiatives fades over time. Respondents described a pattern where an initial push for training and awareness loses momentum, making it harder to maintain protection against changing tactics used by attackers.

MetaCompliance warns that, without sustained backing, awareness programmes risk becoming episodic rather than part of an ongoing risk-reduction strategy—leaving gaps that sophisticated adversaries can exploit.

AI-driven social engineering is the primary new concern

Many CISOs reported falling confidence in their organisation’s cyber resilience compared with 12 months earlier. Half of those who are less confident cited the rise of increasingly sophisticated and scalable AI-based social engineering attacks as the primary reason.

That rise underpins the urgency of the report’s central message: human cyber risk has shifted from unsophisticated phishing to what MetaCompliance describes as high-volume, highly convincing impersonation and fraud enabled by AI.

Inconsistent policy and the risks of LLMs and AI agents

Survey respondents also flagged operational causes for concern. A lack of joined-up thinking across business stakeholders has produced uneven policies between organisational sections, creating complications around security and access that the report says could ultimately lead to data loss or a cyber incident.

The rise of LLMs and AI agents in the workplace has further complicated matters. Forty percent of CISOs surveyed fear employees are sharing sensitive information with generative AI platforms, a practice the report links to possible data breaches or privacy violations for the organisation.

What this means for CISOs, C-level executives, and employees

  • CISOs: The survey shows many are attempting to drive behavioural and technical change without consistent senior support, clear ownership or a shared understanding of the risk across the business—factors they say hamper sustainable resilience.
  • C-level executives: The findings signal a need for prolonged engagement beyond one-off commitments. MetaCompliance’s messaging urges executives to treat human cyber risk as a strategic business risk rather than solely an awareness or training issue.
  • Employees: The report highlights employee actions—particularly the sharing of sensitive information with generative AI platforms and their exposure to AI-enabled impersonation—as central to organisational exposure, increasing the importance of practical, ongoing guidance and controls.

MetaCompliance’s leadership framed the problem bluntly. "That makes senior leadership alignment more important than ever," said James Mackay, CEO at MetaCompliance, and later warned, "If leadership support fades after the initial push, organisations are left exposed. Building resilience against AI-enabled threats requires sustained executive backing, better stakeholder alignment and a more intelligent, behaviour-led approach to managing human cyber risk," said MacKay.

The report underlines a specific tension: CISOs see the threat environment hardening because of AI, yet they increasingly lack the consistent executive attention and cross-business coordination they say are needed to respond. Whether boards and C-level teams shift from episodic interest to sustained ownership will determine how exposed organisations remain to the kinds of AI-enabled attacks the survey highlights.

Source: Infosecurity Magazine — 75% CISOs Fear Executives Don’t Understand Cybersecurity Risks Employees Face (MetaCompliance report)