A growing number of CISOs are looking for their roles to be split up due to the mounting regulatory responsibilities of the position, according to new research from ISACA.
The industry body’s CISO Quick Poll for 2025 found 56% of the 200 surveyed chief information security officers (CISOs) globally are considering or would like to see the role subdivided. Among US CISOs, that percentage is even higher, at 68%.
ISACA said this may be the result of CISOs reporting more duties, such as governance, risk, compliance, and legal, being subsumed into their role.
According to the survey, 83% of respondents have dealt with higher levels of regulation or legislative requirements over the past five years, with NIS2 and DORA being the most impactful in Europe, while SEC rules had the biggest effect on US security leaders.
Two-thirds of respondents said they have taken on more responsibilities directly related to regulatory compliance, with 39% saying they now deal with legal duties and 33% taking on more work around privacy.
Chris Dimitriadis, chief strategy officer at ISACA, said CISOs are finding their roles becoming increasingly complex due to growing regulatory demands. “With so many responsibilities and so much personal risk it’s easy to understand why they are asking for their duties to be better defined, shared, or split,” he said.
CISOs under pressure
Questions are being raised over the regulatory burden being placed on CISOs. Separate research from Trellix found 79% of UK CISOs said current regulation, such as NIS2 and DORA, was placing overwhelming pressure on their organizations.
As part of these regulatory regimes, CISOs have accepted greater personal accountability and, in some cases, even personal liability. A key example of this was when SolarWinds’ security chief was charged by the SEC over alleged fraud through cybersecurity failures.
CISOs have also found themselves working longer hours in recent years. Revelations over the 2023 Black Friday attack on British Library CTO came with a breakdown of the grueling schedule she kept during the incident response, working over 10 hours every day and up to 18 hours at some points.
The combination of all these pressures is prompting CISOs to reconsider their role in 2025. ISACA’s study found 74% of CISOs believe they will need to renegotiate their role within the next two years. Reasons for these renegotiations include the role being too demanding (53%), better distributing business risk among the leadership team (52%), and better defining personal liabilities associated with the role.
“The future of the CISO role is being reshaped by an evolving regulatory environment and escalating personal liabilities,” Dimitriadis said.
“Organizations must recognize this and take proactive steps to redefine and restructure the role to address these concerns. Failure to do so risks burnout, high turnover, and gaps in security leadership—all of which could have severe consequences for enterprise resilience.”
