The evolution of a CISO: How the role has changed

In many organizations, the Chief Information Security Officer (CISO) focuses mainly — and sometimes exclusively — on cybersecurity. However, with today’s sophisticated threats and evolving threat landscape, businesses are shifting many roles’ responsibilities, and expanding the CISO’s role is at the forefront of those changes. According to Gartner, regulatory pressure and attack surface expansion will result in 45% of CISOs’ remits expanding beyond cybersecurity by 2027.

With the scope of a CISO’s responsibilities changing so quickly, how will the role adapt to meet the cyber challenges of the future?

Steve Katz became the world’s first CISO when he took the position at Citicorp/Citigroup in 1995. From the beginning of his CISO journey, Katz realized that the role was not just an IT position; it was about serving the business by reducing risk. In the following years, other organizations added this new position, with the CISO reporting to the CIO in most organizational structures. While many CISOs recognized the true nature of their role, the rest of their organizations were often not on the same page.

In time, CISOs found themselves managing issues outside their organizations, such as building partnerships, working with suppliers and managing external data transmissions. However, many organizations felt the role still primarily remained in the IT realm, with the foremost responsibility of keeping the business from making headlines due to a major cybersecurity breach or attack. This meant that many CISOs mainly focused on compliance and risk management.

In recent years, the CISO role has taken another significant shift in the face of increasing cyberattacks and the growing risks of business disruption, fines and reputational damage. According to Splunk’s CISO Report, 86% of those surveyed say that the role has changed so much since they became a CISO that it’s almost a different job. The role has moved from primarily being a technical role to more of a business leader.

Instead of implementing cybersecurity, CISOs now focus on helping the organization’s leaders understand the importance of cybersecurity and lead the strategic thought for the organization’s cyber strategy. CISOs bridge the gap between the technical language that comes easily to the IT department and the business language of senior leadership.

This shift also caused a reshaping of the organizational structure, with 47% of CISOs now reporting directly to their CEO, according to the Splunk report. By having the CISO answer to the CEO instead of the CIO, the organization illustrates the importance of cybersecurity as a key priority. Additionally, CISOs now have a bigger influence with a seat at the executive table and, often, even on the board of directors.

Cybersecurity experts debate whether the role of CISO should focus on business or technology. As we move forward, the answer will solidly fall into the middle. More than ever before, today’s successful CISOs must possess a rare blend of both technical and business acumen to truly succeed at the role.

Instead of simply helping the organization speak a common language in terms of cybersecurity and risk, the CISO will take a larger leadership role, owning the cybersecurity strategy for the entire organization. With the increased profile and responsibility, other employees will also realize the importance of cybersecurity in organizations.

As one of the newer executive roles, only existing for the past few decades, the CISO has evolved considerably since Katz made the news. As threats grow more sophisticated and businesses become increasingly digital, the business disruption of cybersecurity attacks often affects every aspect of a company. Organizations that realize the increased importance of cybersecurity and evolve their CISO role can create a culture where every employee and executive views cybersecurity as their job.