Threatonomics

The rise of CISO 3.0 and what it means for cyber risk

by Emma McGowan , Senior Writer
Published

Rethinking the role of cybersecurity in modern business leadership

The Chief Information Security Officer (CISO) has traditionally been seen as someone who worked behind the scenes, focused on technical details and making sure the company’s network, applications, and data were safe. They were known and appreciated for their tech skills, but maybe not so much their business skills.

The CISO of the past was there to defend, defend, defend, but the role is rapidly changing. CISOs are increasingly acknowledged as essential business leaders who make an increasing number of business-critical decisions around both safety and operations while also managing a team in a high-burnout field. This shift is largely driven by the growing importance of cyber resilience in the face of increasingly sophisticated and frequent cyber threats.

Cyber attacks are common and inevitable

The frequency of cyber attacks rises each year and the manner of attacks changes.  For example, we’ve seen a marked increase in business interruption to major organizations via attacks on the third-party vendors that they rely on, as seen in the 2024 Change Healthcare breach. Change’s parent company, UnitedHealth Group (as well as other insurers who contract with the clearinghouse), took major hits to business operations during and after their $22 million ransomware attack.

As a result, businesses are starting to understand that cyberattacks are an unavoidable cost of doing business. Instead of trying to prevent every attack, companies are shifting their focus to stopping attacks that can cause the greatest  losses. Similarly, they are focusing their mitigation and risk transfer strategies accordingly placing cyber risk at the center of decision making. 

CISO 3.0

These changes are leading CISOs to redefine their role to be  more closely aligned with strategic decision-making across the business. One clear indication of this shift is the rising number of CISOs holding positions on corporate boards, increasing from 14% in 2022 to 30% in 2023, according to a survey by consulting firm Heidrick and Struggles. This reflects a recognition that cybersecurity is an essential part of good corporate governance, and that CISOs need to be involved in strategic discussions at the highest level. 

If CISO 1.0 was all about the emergence of cybersecurity as a critical function distinct from IT, and CISO 2.0 was characterized by the emergence of the CISO as a key figure in the health of the business, CISO 3.0 as we will outline here, is characterized by the evolution of the role from purely technical to a business-minded executive focused on cyber risk as a financial problem. The role is evolving along business, technical, and managerial foci.   

Business 

  • Cybersecurity is fundamentally a financial decision. CISOs need to understand the financial implications of cyber risk and be able to translate technical vulnerabilities into financial impacts. They also need a way to quantify and articulate the value of cybersecurity investments in a language that resonates with financial decision-makers. They can use tools such as Resilience’s Edge Engagement Summary, which quantifies risk reduction in financial terms. 
  • Cybersecurity is a business enabler, not just a cost center. CISOs can elevate cybersecurity to a strategic asset that drives business growth. To do this, they need to be able to communicate effectively with the board of directors and executives. They must be able to articulate the value of cybersecurity investments and how they support business goals. 
  • CISOs must speak the language of business when communicating with their boards of directors. When communicating cybersecurity needs with a board, it is important to frame the conversation in business terms rather than technical details. The focus should be on the return on investment for the organization and how proposed cybersecurity investments will reduce risk to the business. Many board members may lack cybersecurity expertise, so clear communication is essential. Cybersecurity leaders need to learn how to translate technical concepts into language that business leaders can understand. They should be able to articulate the impact of cybersecurity investments on business operations and overall risk.

Technical 

  • CISOs must be technically sound and up-to-date on the latest cyber threats. They need to understand how to protect their organization from a technical perspective. This includes implementing security controls, monitoring for threats, and responding to incidents.
  • CISOs need to be able to stay ahead of the bad actors. This requires continuous learning and adaptation. They need to be proactive in their approach to security, rather than simply reacting to threats. This means using tools and techniques such as breach and attack simulations and vulnerability risk reduction to identify and mitigate risks before they can be exploited.

Managerial 

  • CISOs need to champion a security culture across the organization. This means educating employees about cybersecurity risks and best practices. It also means creating a culture where security is everyone’s responsibility.
  • Cybersecurity is a whole-of-organization issue, not just an IT issue. CISOs need cross-functional support from areas outside of IT, such as engineering, finance, legal, and HR. This requires establishing a risk-based culture across the organization. That’s why we’ve created a single, comprehensive platform to evaluate their cyber risk environment, assess internal control effectiveness, manage risk transfer, and streamline overall risk management.
  • CISOs need to build a strong team and avoid burnout. This means providing employees with the resources and support they need to do their jobs effectively. It also means creating a work environment where employees feel valued and appreciated. 
  • CISOs must look beyond the corporate network to manage risk holistically. They need to consider subsidiaries, third-party vendors, and the supply chain. This requires a collaborative approach that brings together stakeholders from across the organization. The goal is to create a unified approach to cybersecurity that ensures resilience across all aspects of the business.

This, obviously, is a lot. But CISOs who fail to embrace the evolution of the role are likely to find themselves sidelined in their organization or worse, out on their ear. A shift in business, technical, and managerial perspectives  is essential in the shift to CISO 3.0. That’s why we’ll be spending the next year exploring all of the ways the CISO role is evolving and changing as we enter the second quarter of the 21st century. 

We’ll link each new article here, so bookmark this page and check back regularly for updates on what it means to be a CISO 3.0. 

About the Author
Emma McGowan , Senior Writer

Emma McGowan is the Senior Writer for industry-leading cyber risk company Resilience. She has been a full-time writer and editor for over 10 years, focused on technology and women’s health. Tech-fluent and highly motivated, Emma brings holistic experience leading brands in the delivery of high-quality, high-impact, multimedia digital content supported by strategy, planning, and performance analysis.

You might also like

What enterprises over $10 billion need to know about managing cyber risk

The role of the Chief Information Security Officer has undergone a profound transformation from a purely technical role to a strategic business one in recent years. For CISOs operating in organizations with over $10 billion in revenue—a segment that Resilience has recently expanded its cyber risk solutions to serve—the shift comes with unique pressures and […]

How to create an effective Incident Response Plan

Cyberattacks are no longer a distant threat—they are a certainty. Whether it’s a ransomware attack, data breach, or insider threat, organizations must be prepared to respond quickly and effectively. Without a solid plan in place, even a minor security incident can spiral into a major crisis, leading to financial losses, reputational damage, and regulatory penalties. […]

Understanding the ClickFix attack

Imagine a cyberattack so simple yet so deceptive that all it takes is three keystrokes to compromise your system. This is the reality of the ClickFix attack, a threat that Resilience threat researchers have observed in the wild since 2024 and that seems to be ramping up in recent weeks. ClickFix cleverly manipulates users into […]

How MFA can be hacked

Multi-factor authentication (MFA) represents a significant improvement over single-factor authentication, adding an extra layer of security that has become standard practice across industries. It’s become so popular that many organizations and individuals believe implementing MFA makes their accounts nearly impenetrable to attackers. After all, even if someone steals your password, they would still need access […]

What is the ROC?

The cybersecurity industry thrives on headlines. A major software vulnerability, a ransomware attack, or a widespread outage—each event sends ripples of concern through the digital ecosystem, often accompanied by a rush to assign blame and predict catastrophic consequences.  However, the reality of cyber risk is far more nuanced than these attention-grabbing headlines suggest. The key […]

Quantifying cyber risk for strategic business alignment

In Resilience’s recent webinar, “Quantifying Cyber Risk for Strategic Business Alignment,” (which I hosted along with my colleagues Eric Woelfel, Senior Cybersecurity Engineer, and Erica Leise, Senior Security Engineer) we wanted to tackle a common—and often limiting—mindset in cybersecurity. It’s a mindset I’ve seen again and again in my decade and half building machine learning […]