12 Nov The Evolving Role of the CISO in Modern Business
The role of the Chief Information Security Officer (CISO) is undergoing a significant transformation. As cyber threats become more sophisticated and pervasive, the responsibilities of CISOs have expanded beyond traditional IT security to include a broader strategic role in the boardroom. “In a world rife with economic and geopolitical challenges,” says Mike Rogers, Former Director of the NSA and Operating Partner at venture group Team8, “cybersecurity takes center stage as enterprises recognize the critical necessity of increasing investment in robust defense measures to protect their most valuable assets.”
In turn, that newly centered role for cybersecurity has had profound implications for its highest level leaders.
Expanding Job Duties
First, one evolution: the fact that more and more organizations even have dedicated cybersecurity executives at all. Growth here has been slow but definite. In 2020, Foundry—formerly IDG—found that only 61% of respondents to their Security Priorities survey had top-level security executive like a CISO, CSO, or similar. Their 2023 report found that 65% of organizations do (83% for large enterprises).
Traditionally focused on the technical aspects of cybersecurity, CISOs are now finding their job duties expanding into areas such as business continuity, privacy, regulatory compliance, and risk management. This shift is a response to the growing realization that cybersecurity is not just an IT issue but a critical component of overall business strategy. As such, CISOs are increasingly involved in crafting policies that balance risk with opportunity, ensuring that security measures do not impede the organization’s ability to innovate and compete.
In fact, the CISO role has expanded so much in recent years that CSO Online has even recommended splitting the function into two complementary positions: one focused on business risk management and the other focused on technical execution.
The Need for Non-Security Skills
In fact, to maintain or increase their effectiveness, CISOs are requiring a wider array of non-security skills. Leadership, communication, and strategic thinking have become as important as technical expertise. CISOs must be able to articulate complex security concepts in terms that are understandable, relatable, and meaningful to other business leaders, demonstrating how cybersecurity impacts financial performance, brand reputation, and customer trust.
These added skills, especially communication and the ability to build cross-department dialogues and networks, make a tangible difference. For example, Gartner has found that most successful CISOs are more than twice as likely (80% vs. 37%) to initiate discussions around staying ahead of threats as the least successful CISOs and nearly twice as likely to proactively keep decision makers aware of current and emerging risks.
Transition to Strategic Leadership
As they transition from technical administrators to strategic leaders, CISOs are now expected to contribute to strategic discussions at the highest levels of the organization. That said, there’s a lot of room for growth here. 40% of CISOs say they want to increase their level of involvement with corporate boards, but only 30% of CISOs currently sit on a corporate board , and only 24% report directly to the CEO.
Challenges in Staffing
“Finding a CISO with experience as well as the other factors will be a challenge, as the whole concept of a CISO has really not been around in the space for all that long (about 20 years, give or take – before then, it was a sub category under IT/CIO),” Chris Steffen, research director at analyst and consulting firm Enterprise Management Associates, tells CSO Online. “Keep in mind that there is a shortage of qualified InfoSec types everywhere, and at the leadership level most of all.”
Indeed, as the role of the CISO becomes more complex and demanding, finding qualified individuals to fill these positions is expected to become increasingly difficult. Making recruitment and retention even more challenging, the stress associated with the job is significant, with 62% of CISOs reporting high levels of stress. This, combined with the fact that 36% of CISOs have considered leaving their current job within a year and 46% have contemplated exiting the cybersecurity field altogether, points to potential challenges in retaining talent.
Conclusion
So, what do you do if you don’t have a CISO; it doesn’t report directly to the CEO/board; and/or doesn’t have the functional and strategic skills increasingly needed for success in this area?
The first step is to review how the position operates within your organization. If it doesn’t have executive access, make sure it does. Make sure CISO’s have the broad range of skills needed or consider (as CSO Online suggests) splitting one over-sized role into two more manageable roles.
Getting outside help can also make a big difference in either supplementing existing teams or serving as a “virtual CISO” in the interim, especially in the face of skills and personnel shortages in this area. “Security considerations rank extremely high on the minds of executive leadership, and having a seasoned professional to lead the security program has changed from a ‘nice to have’ to a ‘must have’ position,” Steffen says. “With that said, getting outside help is probably not a bad idea for these positions.”
About PSL
PSL is a global outsource provider whose mission is to provide solutions that facilitate the movement of business-critical information between and among government agencies, business enterprises, and their partners. For more information, please visit or email info@penielsolutions.com.
