Reading time: 4 minutes
Category: Trends and Reports
Author: Yuri Bobbert
The role of Chief Information Security Officer (CISO) is rapidly changing. Once a primarily technical position, it now comes with a range of new responsibilities. Executives increasingly rely on CISOs; but this can be risky.
The CISO is no longer solely responsible for “technical cybersecurity”; instead, their focus has shifted to managing risks that directly impact business objectives.
According to the Wall Street Journal, this shift is reflected in higher salaries, a broader job description and a stronger presence within the executive leadership team. But how realistic is this perception?
The growing responsibilities of the CISO
While U.S. CISOs are seeing a rise in salaries, their European partners seem to largely be left behind. The pressure on both is growing regardless. New rules and regulations – such as the potential for CISOs to be held personally accountable for security incidents – push organizations to prioritize cybersecurity at the highest level
But security is no longer just an IT issue. Cyber risks affect the entire organization, from reputation management to operational continuity. With the rise of AI, smart devices (IoT and OT), and an increase in corporate espionage, the CISO is no longer just a technical expert, but a strategic leader within the C-suite.
The so-called solution? The CISO ‘simply’ needs to keep developing their skills. But that’s an oversimplification. No matter how valuable personal development and professional growth are, no one person should shoulder all these responsibilities without adequate support. Without the right tools, collaboration and a clear division of responsibilities within the organization, the burden on CISOs will quickly become both unsustainable and unbearable.
From traditional to modern: How CISO responsibilities have changed
In practice, we see two types of CISOs.
The traditional CISO often takes a lone-wolf approach and tries to maintain control over every aspect of security. They are often stubborn, pragmatic, and focus on technical solutions and security jargon, which can alienate other departments they’re supposed to collaborate with. This can lead to burnout and a lack of buy-in from the rest of the organization.
The modern CISO understands that security is a business-critical subject that must be broadly supported across the entire organization. They take a simple and pragmatic approach: tasks can be delegated and you should work closely together with other departments. This CISO prioritizes: identify the risks with the highest business impact and address these first.
Balancing technical security and business strategy
Consider the following example: a mid-sized organization is dealing with a large number of phishing attacks. A traditional CISO would focus on what they can control, like implementing a new email filtering system. A modern CISO would look at the bigger picture: while also implementing an email filtering system, they would additionally launch an awareness campaign on how to spot and handle phishing attempts.
My take: the challenges that CISOs face can become too much if they aren’t given the right support. Stricter regulations like SEC disclosure requirements and increasing data breach costs (now averaging $4.45 million per incident) add to the complexity of what CISOs have to deal with. A CISO who only relies on their own skills and focuses solely on ‘IT security’, will inevitably hit the limits of that approach.
How organizations can support the expanding CISO role
Security is a shared responsibility. Involve all departments in this process and ensure they understand their role in the process. Research shows that 96% of all CEOs view cybersecurity as a critical growth strategy. Yet 74% express concern about their ability to effectively respond to cyberattacks – which confirms the CISOs crucial role.
Cybersecurity should be treated as an integral part of risk management and business strategy, not just a technical issue. This means the CISO has a seat at the executive table, just as a CFO does for financial oversight.
Provide CISOs with the right tools to assess risks and set priorities based on real-time data. Additionally, facilitate training courses and collaboration between IT, compliance, legal and even external experts.
Fostering a culture of continuous learning and improvement ensures that cybersecurity becomes a company-wide priority.
Cybersecurity leadership: Why CISO responsibilities go beyond IT
The pressure on CISOs is ever increasing, not just due to evolving threats and complex technology, but also because of stricter rules and regulations. The solution, however, is not just personal development for CISOs. Cybersecurity is no longer just a technical subject: it directly impacts business continuity, reputation and regulatory compliance.
Organizations must invest in offering clear overviews and fostering collaboration to ensure a company-wide security culture. Only then can cybersecurity become a core responsibility of the entire organization, rather than the burden of one overworked specialist.
