Threatonomics

The rise of CISO 3.0 and what it means for cyber risk

by Emma McGowan , Senior Writer
Published

Rethinking the role of cybersecurity in modern business leadership

The Chief Information Security Officer (CISO) has traditionally been seen as someone who worked behind the scenes, focused on technical details and making sure the company’s network, applications, and data were safe. They were known and appreciated for their tech skills, but maybe not so much their business skills.

The CISO of the past was there to defend, defend, defend, but the role is rapidly changing. CISOs are increasingly acknowledged as essential business leaders who make an increasing number of business-critical decisions around both safety and operations while also managing a team in a high-burnout field. This shift is largely driven by the growing importance of cyber resilience in the face of increasingly sophisticated and frequent cyber threats.

Cyber attacks are common and inevitable

The frequency of cyber attacks rises each year and the manner of attacks changes.  For example, we’ve seen a marked increase in business interruption to major organizations via attacks on the third-party vendors that they rely on, as seen in the 2024 Change Healthcare breach. Change’s parent company, UnitedHealth Group (as well as other insurers who contract with the clearinghouse), took major hits to business operations during and after their $22 million ransomware attack.

As a result, businesses are starting to understand that cyberattacks are an unavoidable cost of doing business. Instead of trying to prevent every attack, companies are shifting their focus to stopping attacks that can cause the greatest  losses. Similarly, they are focusing their mitigation and risk transfer strategies accordingly placing cyber risk at the center of decision making. 

CISO 3.0

These changes are leading CISOs to redefine their role to be  more closely aligned with strategic decision-making across the business. One clear indication of this shift is the rising number of CISOs holding positions on corporate boards, increasing from 14% in 2022 to 30% in 2023, according to a survey by consulting firm Heidrick and Struggles. This reflects a recognition that cybersecurity is an essential part of good corporate governance, and that CISOs need to be involved in strategic discussions at the highest level. 

If CISO 1.0 was all about the emergence of cybersecurity as a critical function distinct from IT, and CISO 2.0 was characterized by the emergence of the CISO as a key figure in the health of the business, CISO 3.0 as we will outline here, is characterized by the evolution of the role from purely technical to a business-minded executive focused on cyber risk as a financial problem. The role is evolving along business, technical, and managerial foci.   

Business 

  • Cybersecurity is fundamentally a financial decision. CISOs need to understand the financial implications of cyber risk and be able to translate technical vulnerabilities into financial impacts. They also need a way to quantify and articulate the value of cybersecurity investments in a language that resonates with financial decision-makers. They can use tools such as Resilience’s Edge Engagement Summary, which quantifies risk reduction in financial terms. 
  • Cybersecurity is a business enabler, not just a cost center. CISOs can elevate cybersecurity to a strategic asset that drives business growth. To do this, they need to be able to communicate effectively with the board of directors and executives. They must be able to articulate the value of cybersecurity investments and how they support business goals. 
  • CISOs must speak the language of business when communicating with their boards of directors. When communicating cybersecurity needs with a board, it is important to frame the conversation in business terms rather than technical details. The focus should be on the return on investment for the organization and how proposed cybersecurity investments will reduce risk to the business. Many board members may lack cybersecurity expertise, so clear communication is essential. Cybersecurity leaders need to learn how to translate technical concepts into language that business leaders can understand. They should be able to articulate the impact of cybersecurity investments on business operations and overall risk.

Technical 

  • CISOs must be technically sound and up-to-date on the latest cyber threats. They need to understand how to protect their organization from a technical perspective. This includes implementing security controls, monitoring for threats, and responding to incidents.
  • CISOs need to be able to stay ahead of the bad actors. This requires continuous learning and adaptation. They need to be proactive in their approach to security, rather than simply reacting to threats. This means using tools and techniques such as breach and attack simulations and vulnerability risk reduction to identify and mitigate risks before they can be exploited.

Managerial 

  • CISOs need to champion a security culture across the organization. This means educating employees about cybersecurity risks and best practices. It also means creating a culture where security is everyone’s responsibility.
  • Cybersecurity is a whole-of-organization issue, not just an IT issue. CISOs need cross-functional support from areas outside of IT, such as engineering, finance, legal, and HR. This requires establishing a risk-based culture across the organization. That’s why we’ve created a single, comprehensive platform to evaluate their cyber risk environment, assess internal control effectiveness, manage risk transfer, and streamline overall risk management.
  • CISOs need to build a strong team and avoid burnout. This means providing employees with the resources and support they need to do their jobs effectively. It also means creating a work environment where employees feel valued and appreciated. 
  • CISOs must look beyond the corporate network to manage risk holistically. They need to consider subsidiaries, third-party vendors, and the supply chain. This requires a collaborative approach that brings together stakeholders from across the organization. The goal is to create a unified approach to cybersecurity that ensures resilience across all aspects of the business.

This, obviously, is a lot. But CISOs who fail to embrace the evolution of the role are likely to find themselves sidelined in their organization or worse, out on their ear. A shift in business, technical, and managerial perspectives  is essential in the shift to CISO 3.0. That’s why we’ll be spending the next year exploring all of the ways the CISO role is evolving and changing as we enter the second quarter of the 21st century. 

We’ll link each new article here, so bookmark this page and check back regularly for updates on what it means to be a CISO 3.0. 

About the Author
Emma McGowan , Senior Writer

Emma McGowan is the Senior Writer for industry-leading cyber risk company Resilience. She has been a full-time writer and editor for over 10 years, focused on technology and women’s health. Tech-fluent and highly motivated, Emma brings holistic experience leading brands in the delivery of high-quality, high-impact, multimedia digital content supported by strategy, planning, and performance analysis.

You might also like

What business leaders need to know about post-quantum cyber risk

Quantum computing is on the horizon and with it comes a seismic shift in how organizations must think about cybersecurity risk. The ability of future quantum machines to break today’s cryptographic protections–what we call quantum decryption–could undermine the trust, confidentiality, and resilience of digital business.                                                                                          As part of Cybersecurity Awareness Month, throughout October we are […]

The false promise of paying criminals to delete your data

On October 6, 2025, hackers demanded ransom from Salesforce for nearly one billion stolen customer records. The company’s response was unequivocal: no payment, no negotiation. While the refusal made headlines, the more important question is why Salesforce—and increasingly, other mature organizations—are walking away from the table when criminals offer to “suppress” stolen data. The answer […]

A CISO’s guide to winning the annual budgeting battle

It’s that time of year again. Finance has sent the email with the budget template attached. Your CFO wants preliminary numbers by next week. And you’re staring at a spreadsheet wondering how to justify the security investments your organization desperately needs when last quarter’s board meeting included the phrase “do more with less.” Welcome to […]

How brokers and CISOs can lead the charge for Cybersecurity Awareness Month 2025

October is Cybersecurity Awareness Month, and this year’s theme—”Building a Cyber Strong America“—has never been more relevant. For over two decades, this initiative led by CISA and the National Cybersecurity Alliance has spotlighted the importance of taking daily action to reduce online risks. In 2025, the focus shifts to the government entities and small-to-medium businesses […]

What the Collins Aerospace outage reveals about vendor risk

On September 19, 2025, chaos erupted at airports across Europe—but not because of weather, strikes, or mechanical failures. Collins Aerospace’s MUSE platform, the digital backbone handling passenger check-in and baggage processing from Heathrow to Dublin, went dark after a ransomware attack. Within hours, major airports including Brussels, Berlin, and Dublin were forced to revert to […]

Does Resilience use your company data to train AI?

In an era where “AI training” has become synonymous with data collection, we get this question a lot: “Does Resilience use our company data to train AI models like ChatGPT?” The short answer? No. But the full answer reveals something more interesting about how we approach cyber risk modeling and why we chose a different […]