CISOs are ready. Is the board listening?

The shift from awareness to action

Historically, efforts have focused on educating the market about insider risks. But today, many professionals—especially those in CISO and security operations roles—express fatigue with having to constantly advocate internally just to secure funding for the technologies and staff they know are critical. Too often, security leaders find themselves having to justify the basics—tools that provide visibility into behavioral threats, or hiring specialists who can manage nuanced risks—because the perception of insider risk hasn't fully matured at the executive level. This not only delays action, but can also wear down teams who are already stretched thin managing day-to-day threats. They know the risks, and they’re ready to act—but across many organizations, that readiness is held back by internal friction. While some have integrated insider risk management programs, others still struggle to justify the necessary investments—often because awareness hasn’t fully translated to buy-in at the leadership level.

Understanding the investment landscape

But there is reason for optimism. The fatigue around awareness is being met with signs that mindsets—and budgets—are beginning to shift. We're starting to see momentum in the right direction, with concrete signals that investment in insider risk is becoming a strategic priority rather than a reactive add-on.

Recent studies shed light on the current investment climate:

• Budget Allocation: The portion of IT security budgets dedicated to insider risk management has more than doubled, rising from 8.2% in 2023 to 16.5% in 2024.
• Perceived Adequacy: Despite this increase, 45% of organizations feel their current funding for insider risk management is insufficient.
• Return on Investment: Companies with established insider risk programs report significant benefits, including time savings in breach responses (63%), protection of brand reputation (61%), and financial savings from breach prevention (59%).

These figures highlight a growing recognition of the importance of insider risk management, yet also underscore the ongoing debate about resource allocation. Importantly, a company does not need to have a full insider risk management program in place to begin making meaningful investments. Targeted efforts—such as implementing human risk detection capabilities—can significantly elevate an organization’s security posture without requiring an extensive overhaul. This is especially relevant for teams that feel they’ve done their part raising internal awareness and now need tools to help them act.

The human element in insider risk

A critical aspect of insider risk is the human element. Individuals engaging in illicit activities, such as accessing Child Sexual Abuse Material (CSAM), pose significant risks to organizations. Even if such activities occur offsite, the individuals involved become vulnerable to blackmail and coercion, potentially leading to severe security breaches within the company. Addressing these human factors is essential in mitigating insider threats.

This is where implementing human risk detection software becomes not just helpful—but essential. It allows organizations to identify behavioral red flags early, before they escalate into full-blown crises. Like the Swedish lottery slogan “Plötsligt händer det” (“Suddenly it happens”), these risks can appear without warning—black swan events that no policy or firewall can predict. Human risk detection provides a line of defense against the unforeseen by surfacing detections that traditional cybersecurity measures often miss.

Challenges in board-level understanding

A recurring challenge highlighted during my discussions is the difficulty CISOs and security leaders face in educating board members about insider risks. While there are encouraging signs of progress, many boards still lack a comprehensive understanding of these issues, making it sometimes harder to secure necessary investments. This disconnect can create friction, where frontline teams are ready to act but are held back by strategic indecision. From the discussions I had I learned that there's a growing sense of frustration among those tasked with security—“we’ve educated enough, now we need backing.” The result is not just a funding gap, but a risk gap. Enhancing board engagement and governance is vital to ensure insider risk receives the focused attention and resourcing it demands.

Conclusion

The conversations in London, New York, and Stockholm reflect a critical juncture in addressing insider risk. While awareness has been established—and in many cases, exhausted—the focus must now shift to implementing effective, tailored strategies that address the unique challenges each organization faces. Investing in human risk detection and fostering a culture of security awareness at all levels, including the boardroom, can empower organizations to move from understanding the problem to actively mitigating it.