6 ways the CISO role is evolving today

While organizations have been fixated on transforming their business processes over the past several years, the top IT security exec role has been transforming as well.

Today’s CISOs and CSOs are heavily involved in developing comprehensive cybersecurity and critical risk management strategies that align with business initiatives. They also play a vital role in fostering collaboration across business units to maintain a holistic security posture. This is a far cry from the days when their role was more technical and focused on foundational security measures such as managing firewalls and antivirus software.

A more significant transformation has occurred since the launch of ChatGPT in 2022, says Christopher Burger, CISO at tech consulting firm Slalom. “The widespread adoption of generative AI for both personal and professional use by employees has considerably expanded the risk and compliance landscape,’’ Burger notes. “Security leaders now face new challenges in safeguarding their organizations.” 

Here are six ways the CISO role is evolving today.

They are more heavily integrated into the business

The main reason for the role shift, cybersecurity leaders say, is an increasingly sophisticated threat landscape that continues to change rapidly.

Further, organizations have matured through cyber education and incident reporting, and executives have “gained broader insight and appreciation for how cyber really impacts our businesses,’’ says Patricia Titus, CISO at Booking Holdings, a global online travel business.

This raised awareness has resulted in organizations stepping up their game, Titus says. “A major attack has been on the tip of the tongues of executives who want to make sure we do everything we can to avoid a major attack, but there’s now an appreciation it could happen to anyone.”

As a result, CISOs and CSOs are “more heavily integrated into the business,’’ says Olivia Rose, CISO and founder of Rose CISO Group and a faculty member at IANS Research. “This means that CISOs have had to pick up and learn strategies for aligning what they do at a control level with company-level strategies.”

Rose CISO Group

The transition from focusing on cybersecurity controls to company-level strategies must ensure that everything security leaders do is supporting the business — while doing their security due diligence as well, Rose says.

CISOs now have to be “so much more than just the person who handles incidents across the company,’’ agrees Titus. “Today, our role has evolved into more strategic risk discussion versus risk and control frameworks.”

They are purveyors of trust

Partnering with C-suite business leaders offers CISOs a strategic advantage in building the security brand among employees, Burger says. “By enabling safe and responsible use of generative AI through well-established policies that address company demand, and maintaining transparent communication with employees, CISOs can foster trust to ensure secure AI adoption.” 

Generative AI is changing the nature of trust, observed Andrew Stanley, CISO and vice president of global digital operations at Mars. Deepfakes are forcing cybersecurity leaders to use different mechanisms because it has become much harder to determine whether something is real.

“Trust is the hardest thing to earn and the easiest to destroy,’’ said Stanley, speaking at the MIT CIO Symposium in May. “The opportunity we have as C-level executives is to demonstrate what are the mechanisms of trust. … We have some of that muscle, but we have to redeploy it away from a sense of defense to productive skepticism.”

Organizations are depending on their cybersecurity leaders to adopt a sense of “incredulousness,’’ Stanley said. “We spend all this time using technology to make things better, faster.” In a deepfake world, that needs to be flipped, he said, and CSOs and CISOs need to “make sure … things are dumber. That’s how you trip it up.”

Companies are struggling to adopt AI, Stanley said. “It’s not fail fast and revise, it’s a whole different paradigm,” and one that business leaders are looking to their security leaders to structure.

Stanley also cautioned that generative AI is being used “in ways that can so aggressively undermine what we all agree is right or what we’re trying to do. We lose control of the situation by being arrogant and almost flippant about what the impact of these [AI] technologies are.”

They are under increased pressure as regulations rise

The Securities and Exchange Commission rolled out new cybersecurity rules at the end of 2023, mandating the disclosure of a cybersecurity incident within four business days, and many CISOs are now tasked with reporting them.

This has created a new dimension of responsibility for CISOs, who are “being brought into more strategic conversations and also decision-making bodies at the executive level,’’ notes Titus.

“The CISO is expected and required to function across the business operations landscape, from obtaining cyber insurance coverage to assuring clients, vendors, or suppliers of a strong security posture and the ability to recover quickly in the event of a major incident,’’ adds David Hull, CISO at technology research and advisory firm ISG.

ISG

In the past year, there have also been significant increases in global cyber regulations impacting US-listed companies and businesses in the financial services and critical infrastructure sectors, Hull notes.

“These regulations have placed cyber resilience high on the CISO priority list and increased demand on CISOs to ensure compliance and adjust local policies and controls to comply with regulatory requirements,’’ Hull says. “The CISO is now expected to consider the potential impact on the business, investors, and shareholders, understand cyber risk at the executive level, and integrate such risk into the wider business strategy.”

This highlights the need for CSOs and CISOs to take on “responsibilities for not just preparing for a security incident, but also for driving resiliency and verifiable governance through the organization for greater transparency and compliance,’’ says Sebastian Lange, CSO at SAP.

Perhaps it is no surprise then that a recent survey from AuditBoard found that 75% of executives reported having a cybersecurity expert sitting on their board. “The CISO is the most commonly reported position responsible for determining materiality (32%)” of a breach, the report said.

SAP

Their stature, remit, and influence are on the rise

The CISO role has been elevated and these cybersecurity leaders now have more influence — but are also expected to get things done more rapidly, says Simon Goldsmith, enterprise security and platforms lead, at OVO, a UK-based independent energy retailer. “You build credibility by delivering what you say and taking the right approach to security and not being an alarmist but a collaborator,’’ he says.

Yet, CSOs can also fall into “all sorts of traps” and be seen as residing in an “ivory tower and not being close to the business,” Goldsmith adds. To avoid this, CSOs must enable resilience and increase the likelihood of the business achieving its objectives. This requires reducing downside risk, he says.

“Putting it in investment terms, if you take on risky investments you increase the chances of upside and things working out better than you expected,’’ he says. Goldsmith finds that technologists are very good at figuring out how to maximize the benefits and opportunities technology presents, but as the lead security person “you have to help [business leaders] then identify the downside risks … and manage those to a minimum.”

Goldsmith saw his role elevated at the end of 2023 when he was given the added responsibility of overseeing laptops/desktops, enterprise software, and OVO’s service desk. “Some CISOs have been effective at understanding and engaging with the whole business. I would suggest this is another reason that taking on responsibilities more commonly assigned to a CIO, is happening more for CISOs,” he says.

OVO

Booking Holdings’ Titus is also seeing some of her CISO colleagues taking on infrastructure responsibility and says that implementing controls helps foster a better partnership with the CIO/CTO to ensure stronger security and privacy.

Rinki Sethi, CISO of payment site Bill, has seen her role become “far more influential across the business and with heightened attention from executives and the board.” She attributes that to strong communication skills and the ability to educate and influence leaders on risk issues.

But with the growing stature, there should be safeguards put in place for CSOs/CISOs, she says. “I believe the CISO role needs to evolve further both in reporting structure at most companies and in the standard protections offered to CISOs as an officer of the company,’’ Sethi says. 

Bill

They are translating tech into business strategy

With security increasingly seen as a business imperative, security execs need to be able to articulate security and compliance risks in business and financial terms to board members and business executives, says SAP’s Lange.

In addition to proposing and implementing controls that can integrate effectively into an organization’s business strategy, CISOs must also be able to translate what those security controls are and explain the need to prioritize risk and risk remediation in financial terms, Lange says. This will ensure the effective use of the security budget and protect critical assets.

As CISOs widen their focus from the security organization to organization-wide strategies, they are part of the discussion on issues such as how to increase revenue, reduce costs, scale successfully, improve customer satisfaction, automate processes, and reduce risk, according to Rose.

“CISOs have to translate technical controls to company-level strategies so they make sense,’’ she says. For example, executives and boards “likely do not understand what cloud entitlements are in the cloud, but the CISO needs to translate that as ‘This is a tool which detects, identifies, and remediates risks associated with identity,’’’ she says.

The importance of this translation from cybersecurity controls to company-level strategies ensures that what security leaders are doing “on the ground” actually supports the business and due diligence is being performed to meet regulatory and legal requirements, Rose says.

A significant benefit is that “you will enhance understanding from mostly non-technical audiences to obtain buy-in for executive support and funding,’’ she says. “When an audience understands the ask and can relate it to the business issues that affect them, they are more likely to agree with the need behind the ask.” 

Booking Holding’s Titus echoes that, saying that CSOs must bridge the gap that has existed with business executives and build relationships with the general counsel, CEO, and other key roles to “communicate your message [but] not in technobabble.”

For example, “If I said, ‘Threat actors were able to compromise our systems through gaining control of someone’s identity and password and bypassing multifactor authentication,’” that could be simplified to say the network perimeter has been compromised, she says.

They aren’t resting on their laurels

CISOs can adapt to their expanding role by promoting close alignment with senior leadership on the company’s strategic priorities, to ensure the safe and responsible use of generative AI technologies, says Slalom’s Burger. 

“In addition, the security department’s early adoption of generative AI to enhance security operations, knowledge management, and incident response can positively position CISOs,’’ he says. “This proactive approach demonstrates thought leadership and supports effective partnerships with the business to develop secure AI solutions for the company.’’

To maintain their growing stature and evolving role, CSOs/CISOs “must scale their mandate in the face of increasingly accelerated disruptive technological changes” from AI and cloud transformations, greater customer trust expectations, and a threat landscape that continues to intensify, SAP’s Lange says.

Adapting to the velocity of change and providing a consistent defensible risk posture “necessitates the adoption of measurable, verifiable central controls frameworks as a bedrock of security agility,’’ he adds.

With security now a foundational component of business operations, it is incumbent upon CSOs and CISOs to understand why the business is doing what it’s doing, and what the priorities are, and align technology with those priorities, says Jason Loomis, CISO of cloud SaaS provider Freshworks.

This will potentially position them for other C-level roles, he believes.

“The experience most CISOs come with is having all the responsibility and none of that authority, and yet, they have to affect change in organizations, all while being advanced technologists that keep up with emerging trends,’’ Loomis says. “All these traits make the CISO a ripe candidate for other C-level roles.”