CISO Career Perspectives - Representation of security experience in DAX40 boards

There is not enough Cybersecurity expertise in senior leadership positions.

This is a widely held assumption across the Information Security community.

We wanted to see if the situation actually is truly as bad - so we performed a structured review of the approximately 800 CVs of all DAX40 boards, including boards of management (CEO, CFO, COO etc.) and supervisory boards.

We analyzed these CVs for any experience that would be relevant to managing Cybersecurity risks. We sorted the level of experience in three categories:

1. Active Cybersecurity experience; e.g. as a security executive (CISO or similar) or operational Cybersecurity experience

2. Cybersecurity-adjacent experience; e.g. in IT compliance, crisis management or defense/military

3. No visible Cybersecurity expertise

This representation is important for three reasons:

1. Board-level governance of Cybersecurity programs is becoming more and more important, due to the rising risk exposure across most industries and the correlated increase in Cybersecurity budgets

2. Representation of former security practitioners serves as a signal to CISOs and other security executives how attainable roles on these boards are for them and what their professional life after a CISO role might look like

3. Recent Cybersecurity regulation in the EU (NIS2 and DORA) pushes boards of management to improve their expertise around Cybersecurity risks.

Key Findings

Since 2026, exactly one board member has active experience with Cybersecurity. That number changed from zero in 2025, since Marielle Ehrmann, Senior Vice President at SAP SE and their "Chief Security Compliance & Risk Officer" joined SAP's supervisory board in January 2026.

Beyond active Cybersecurity experience, we also looked at Cybersecurity-adjacent experience:

Only 4% of management board (MB) and the same share of supervisory board (SB) members have any publicly visible security-adjacent experience (see our definition in the section Study Design).

These are 9 out of the 252 DAX40 MB members and 12 out of 344 SB members (excluding worker's representatives, which make up 50% of most SBs in Germany).

Before starting this analysis we had two major assumptions about the results, which turned out to be mostly false:

Technology companies are more likely to have Cybersecurity expertise on either board: Only SAP of the three Tech companies in the DAX40 (SAP, Zalando, Scout24) have any visible Cybersecurity experts on their boards - and only recently. Excluding SAP, no active or adjacent security experience is present in either of the three companies.

Supervisory boards have a dedicated focus on risk oversight and would have a higher representation of Cybersecurity expertise than management boards: Both SB and MB members have an equally low share of Cybersecurity-adjacent expertise at around 3.5%. Again, SAP being an outlier with one person on their supervisory board with active Cybersecurity experience.

To note here: The number of supervisory boards with at least one person with Cybersecurity experience is with 30% higher than the 20% of management boards.

Implications for Cyber Risk Governance

A general lack of Cybersecurity skills across boards can have significant implications for the Governance of Cybersecurity programs across large enterprises.

Chief among them:

• Boards will only have a surface-level understanding of Cybersecurity risks and how to manage them

• Cybersecurity programs cannot be effectively challenged by boards

• Boards have strong dependencies on outsiders (consultants, external advisors) to help them govern Cybersecurity independently

Surface-level understanding of Cybersecurity

The lack of Cybersecurity expertise at board level leads to an inherently superficial understanding of Cyber risk. Cybersecurity is primarily discussed through abstractions such as compliance status, maturity models, or high-level KPIs, rather than through an understanding of actual threat scenarios and operational weaknesses.

Without domain knowledge, boards struggle to differentiate between formal compliance and real resilience, or between documented controls and their effectiveness in practice. As a result, Cybersecurity can be treated as a static checklist exercise instead of a dynamic risk discipline that evolves with the business, technology stack, and threat landscape.

Ineffective oversight of Cybersecurity programs

Effective board oversight requires the ability to challenge management. In the absence of Cybersecurity expertise, this challenge is largely symbolic.

Boards are limited to reviewing reports and external assessments without being able to critically evaluate their assumptions, scope, or conclusions. Oversight therefore focuses on process adherence - budgets approved, frameworks adopted, audits passed - rather than on whether Cybersecurity investments meaningfully reduce the organization’s most relevant risks.

This makes Cybersecurity governance reactive by design, with boards responding to incidents and regulatory findings rather than shaping risk posture proactively.

Strong dependencies on external advisors

The combination of limited internal expertise and high regulatory pressure creates a structural dependency on external advisors.

Boards increasingly rely on consultants, auditors, and vendors to interpret Cyber risk on their behalf. While external input is necessary, boards without internal expertise are often unable to challenge recommendations, assess trade-offs, or align them with the company’s strategic risk appetite.

This dependency weakens accountability and governance: Cybersecurity decisions are influenced by third parties, while boards remain formally responsible but substantively constrained in their ability to govern the topic independently.

Implications on the attractiveness of Cybersecurity as a career

Beyond the above mentioned effects on Cybersecurity governance through boards, representation in boards of management also has implications for the career trajectory of CISOs and other security executives.

This has two major implications for Cybersecurity as a professional field:

1. There is a higher chance that ambitious and smart people will move out of Cybersecurity throughout their career

2. Cybersecurity programs will be less effective given this lack of career prospects

While Cybersecurity remains a promising career path for people from all backgrounds (a gender gap remains, which must be addressed as well), highly ambitious people aiming for top management jobs will likely not stay in Cybersecurity throughout their career.

The most likely career paths to become a member of either DAX40 board remain traditional management roles in

• Finance (24% MB / 24% MB)

• Consulting/Audit (10% MB / 14% SB)

• Engineering (11% on both boards).

Legal, Risk and Compliance also make up a significant portion of the functional background of many board members at around 5% on both boards.

This can lead to a talent problem where the smartest and most ambitious people in large organizations are likely to move into other functions.

At the same time we need more people from other fields to take on security roles throughout their career to ensure Cybersecurity programs include perspectives from other stakeholders.

We need young executives to find security roles just as interesting and beneficial for their career as leading a major post merger integration, taking charge of a digital transformation program or turning around an unprofitable division.

If security can be seen as a stepping stone to higher leadership roles, this can work; if security is seen as a career dead-end we will lose this talent pool.

Security programs too often are not well-aligned with the wider business and technology strategy of major companies. Being a closed group of security experts without outside perspectives will not help solve this problem.

Beyond the statistics - what's the reality on the ground?

While the statistics do not look promising for Cybersecurity in German companies, the reality on the inside of these companies is not quite as bleak.

Most DAX40 companies have boards that are actively engaged in managing their Cybersecurity risks. This includes activities such as

• Regular reports by the CISO to both boards

• Active engagement of board members in major Cybersecurity initiatives

• Board-specific training on Cybersecurity risks

For example, one CISO of a DAX40 company told us that they are providing at least 3 hours of training to their SB per year, in addition to the 6 regular reporting sessions they have in front of their SB alone. This does not include the additional reporting sessions to the management board.

In another DAX40 company, we were told that a specific supervisory board member has occasionally requested detailed updates about Cybersecurity-related audit findings of specific business units - showing they are very actively looking at this problem and challenging their security executives.

How do we ensure Cybersecurity stays an attractive career path?

While effective Cybersecurity governance of senior leadership does not strictly require active security experience before joining a board, making sure security jobs are not a career dead-end should be a priority for our industry.

We see several actionable steps boards and Cybersecurity executives can take to make sure security is seen as a career path with a future:

• Senior leaders in charge of Cybersecurity should keep championing promising security executives for further top-level management positions

• While it is unlikely that CISOs of most companies will become part of boards of management next to CEOs, CFOs and COOs, supervisory boards should aim to screen for Cybersecurity expertise when looking for new members in their ranks.

• Cybersecurity executives and their responsible management board members should lobby to have security representatives take part in governance committees besides the obvious risk and audit committees. For example digital transformation committees or finance committees - even if just as passive listeners

• CISOs and other security executives should find mentors and champions on those boards or with advisors these boards trust.

There is a certain level of politics being played to join and to stay on these boards - so perception of security executives matters. A key factor here is to make security seem as supporting the growth of the business, not slowing it down.

The ultimate goal is not to win a popularity contest, but to make security programs more effective by having the necessary support, as well as retain the best talent to keep winning against threat actors.

Closing thoughts

Cybersecurity budgets have continuously increased over the past decades, this is caused both by the increasing number of Cybersecurity incidents, as well as a correlated increase in Cybersecurity regulation.

Therefore it remains prudent for both boards to review and challenge the allocation of Cybersecurity resources (budget and organizational attention) against the wider strategy of the business.

At the same time, the role of the CISO is evolving. We see CISOs actively preparing to join supervisory and advisory boards and we have heard from at least one CISO that they are aiming for a management board seat within the next few years.

Following this analysis we will conduct further research into the career paths of CISOs, security leaders and security experts to find out if being a CISO remains an attractive career objective, as well as what comes after it.

Study design

To conduct this analysis we evaluated the CVs of members of management boards and supervisory boards of all DAX40 companies.

Only public sources were evaluated, no interviews were conducted.

AI was used to gather data and perform parts of the analysis.

Definition of relevant security expertise

We were purposefully liberal in the definition of "relevant Cybersecurity expertise", as only a single member of the DAX40 management boards and supervisory boards actually has hands-on operational or leadership experience with Cybersecurity (Marielle Ehrmann, Chief Security Compliance & Risk Officer of SAP, part of their supervisory board since January 2026).

Before conducting our analysis, we defined the following as relevant Cybersecurity experience: Operational and management responsibility for Cybersecurity but not as part of a management board.

This would mean we purposefully exclude e.g. a CFO who is only exposed to Cybersecurity because the CISO at that company happens to report to her - otherwise, all boards would have at least one member with Cybersecurity experience.

We defined the following as "Cybersecurity-adjacent" experience for both boards:

• Experience in related functions, such as Corporate Security, IT Compliance, Crisis Management, Business Continuity Management

• Experience in Military, Intelligence or Ministry of Defense roles

• Experience as a supervisory board or management board member for a dedicated Cybersecurity company.

To clarify the last point: Even though Deutsche Telekom, Allianz, Munich Re and many other DAX40 companies generate part of their revenue with Cybersecurity, a "dedicated Cybersecurity company" only counts as such, if the majority of its revenue comes from security-related products of services.

Coalition Inc., where Oliver Bäte (CEO of Allianz) is a member of their supervisory board, would be one of those for example.

The definition of relevant security expertise plays an important role in understanding the results, especially when comparing security experience against the "functional background" of the board members in question.

The functional background of board members only focused on the start of their career. If their first job was in consulting and the next one in private equity, we would only count the consulting experience.

However, we looked for security experience across all stations on their CV, offering significantly more chances to gather the relevant experience anywhere. So if there are 4% of MB members with expertise in the area of Legal, Risk and Compliance and 3.5% overall with security expertise, the former will have:

1) real long-term work experience in that area, and

2) only one opportunity to gather that experience (at the beginning of their career).

They may have worked in Legal, Risk and Compliance throughout the entire career but the beginning was the only part that mattered.

Besides Marielle Ehrmann, Not a single board member we counted as having relevant security experience had any meaningfully long-term exposure to Cybersecurity.

At best, they had a non-board management role that included Cybersecurity or performed consulting in areas that were closely adjacent to Cybersecurity (crisis management for example).

Additional caveats

As analyzing over 800 CVs takes time, there may be some fluctuation in the study sample. The data was gathered and analyzed between September and December 2025.

This could mean that some board positions were replaced in the meantime. We believe this does not meaningfully affect the presented results.