April 2, 2024 By Jennifer Gregory 3 min read

In many organizations, the Chief Information Security Officer (CISO) focuses mainly — and sometimes exclusively — on cybersecurity. However, with today’s sophisticated threats and evolving threat landscape, businesses are shifting many roles’ responsibilities, and expanding the CISO’s role is at the forefront of those changes. According to Gartner, regulatory pressure and attack surface expansion will result in 45% of CISOs’ remits expanding beyond cybersecurity by 2027.

With the scope of a CISO’s responsibilities changing so quickly, how will the role adapt to meet the cyber challenges of the future?

The CISO’s role in the past

Steve Katz became the world’s first CISO when he took the position at Citicorp/Citigroup in 1995. From the beginning of his CISO journey, Katz realized that the role was not just an IT position; it was about serving the business by reducing risk. In the following years, other organizations added this new position, with the CISO reporting to the CIO in most organizational structures. While many CISOs recognized the true nature of their role, the rest of their organizations were often not on the same page.

In time, CISOs found themselves managing issues outside their organizations, such as building partnerships, working with suppliers and managing external data transmissions. However, many organizations felt the role still primarily remained in the IT realm, with the foremost responsibility of keeping the business from making headlines due to a major cybersecurity breach or attack. This meant that many CISOs mainly focused on compliance and risk management.

The role of CISOs today

In recent years, the CISO role has taken another significant shift in the face of increasing cyberattacks and the growing risks of business disruption, fines and reputational damage. According to Splunk’s CISO Report, 86% of those surveyed say that the role has changed so much since they became a CISO that it’s almost a different job. The role has moved from primarily being a technical role to more of a business leader.

Instead of implementing cybersecurity, CISOs now focus on helping the organization’s leaders understand the importance of cybersecurity and lead the strategic thought for the organization’s cyber strategy. CISOs bridge the gap between the technical language that comes easily to the IT department and the business language of senior leadership.

This shift also caused a reshaping of the organizational structure, with 47% of CISOs now reporting directly to their CEO, according to the Splunk report. By having the CISO answer to the CEO instead of the CIO, the organization illustrates the importance of cybersecurity as a key priority. Additionally, CISOs now have a bigger influence with a seat at the executive table and, often, even on the board of directors.

Future predictions for the CISO role

Cybersecurity experts debate whether the role of CISO should focus on business or technology. As we move forward, the answer will solidly fall into the middle. More than ever before, today’s successful CISOs must possess a rare blend of both technical and business acumen to truly succeed at the role.

Instead of simply helping the organization speak a common language in terms of cybersecurity and risk, the CISO will take a larger leadership role, owning the cybersecurity strategy for the entire organization. With the increased profile and responsibility, other employees will also realize the importance of cybersecurity in organizations.

As one of the newer executive roles, only existing for the past few decades, the CISO has evolved considerably since Katz made the news. As threats grow more sophisticated and businesses become increasingly digital, the business disruption of cybersecurity attacks often affects every aspect of a company. Organizations that realize the increased importance of cybersecurity and evolve their CISO role can create a culture where every employee and executive views cybersecurity as their job.

More from CISO

Overheard at RSA Conference 2024: Top trends cybersecurity experts are talking about

4 min read - At a brunch roundtable, one of the many informal events held during the RSA Conference 2024 (RSAC), the conversation turned to the most popular trends and themes at this year’s events. There was no disagreement in what people presenting sessions or companies on the Expo show floor were talking about: RSAC 2024 is all about artificial intelligence (or as one CISO said, “It’s not RSAC; it’s RSAI”). The chatter around AI shouldn’t have been a surprise to anyone who attended…

Why security orchestration, automation and response (SOAR) is fundamental to a security platform

3 min read - Security teams today are facing increased challenges due to the remote and hybrid workforce expansion in the wake of COVID-19. Teams that were already struggling with too many tools and too much data are finding it even more difficult to collaborate and communicate as employees have moved to a virtual security operations center (SOC) model while addressing an increasing number of threats.  Disconnected teams accelerate the need for an open and connected platform approach to security . Adopting this type of…

X-Force Threat Intelligence Index 2024 reveals stolen credentials as top risk, with AI attacks on the horizon

4 min read - Every year, IBM X-Force analysts assess the data collected across all our security disciplines to create the IBM X-Force Threat Intelligence Index, our annual report that plots changes in the cyber threat landscape to reveal trends and help clients proactively put security measures in place. Among the many noteworthy findings in the 2024 edition of the X-Force report, three major trends stand out that we’re advising security professionals and CISOs to observe: A sharp increase in abuse of valid accounts…

Topic updates

Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today