FAIR vs Resilience
Threatonomics

The rise of CISO 3.0 and what it means for cyber risk

by Emma McGowan , Senior Writer
Published

Rethinking the role of cybersecurity in modern business leadership

The Chief Information Security Officer (CISO) has traditionally been seen as someone who worked behind the scenes, focused on technical details and making sure the company’s network, applications, and data were safe. They were known and appreciated for their tech skills, but maybe not so much their business skills.

The CISO of the past was there to defend, defend, defend, but the role is rapidly changing. CISOs are increasingly acknowledged as essential business leaders who make an increasing number of business-critical decisions around both safety and operations while also managing a team in a high-burnout field. This shift is largely driven by the growing importance of cyber resilience in the face of increasingly sophisticated and frequent cyber threats.

Cyber attacks are common and inevitable

The frequency of cyber attacks rises each year and the manner of attacks changes.  For example, we’ve seen a marked increase in business interruption to major organizations via attacks on the third-party vendors that they rely on, as seen in the 2024 Change Healthcare breach. Change’s parent company, UnitedHealth Group (as well as other insurers who contract with the clearinghouse), took major hits to business operations during and after their $22 million ransomware attack.

As a result, businesses are starting to understand that cyberattacks are an unavoidable cost of doing business. Instead of trying to prevent every attack, companies are shifting their focus to stopping attacks that can cause the greatest  losses. Similarly, they are focusing their mitigation and risk transfer strategies accordingly placing cyber risk at the center of decision making. 

CISO 3.0

These changes are leading CISOs to redefine their role to be  more closely aligned with strategic decision-making across the business. One clear indication of this shift is the rising number of CISOs holding positions on corporate boards, increasing from 14% in 2022 to 30% in 2023, according to a survey by consulting firm Heidrick and Struggles. This reflects a recognition that cybersecurity is an essential part of good corporate governance, and that CISOs need to be involved in strategic discussions at the highest level. 

If CISO 1.0 was all about the emergence of cybersecurity as a critical function distinct from IT, and CISO 2.0 was characterized by the emergence of the CISO as a key figure in the health of the business, CISO 3.0 as we will outline here, is characterized by the evolution of the role from purely technical to a business-minded executive focused on cyber risk as a financial problem. The role is evolving along business, technical, and managerial foci.   

Business 

  • Cybersecurity is fundamentally a financial decision. CISOs need to understand the financial implications of cyber risk and be able to translate technical vulnerabilities into financial impacts. They also need a way to quantify and articulate the value of cybersecurity investments in a language that resonates with financial decision-makers. They can use tools such as Resilience’s Edge Engagement Summary, which quantifies risk reduction in financial terms. 
  • Cybersecurity is a business enabler, not just a cost center. CISOs can elevate cybersecurity to a strategic asset that drives business growth. To do this, they need to be able to communicate effectively with the board of directors and executives. They must be able to articulate the value of cybersecurity investments and how they support business goals. 
  • CISOs must speak the language of business when communicating with their boards of directors. When communicating cybersecurity needs with a board, it is important to frame the conversation in business terms rather than technical details. The focus should be on the return on investment for the organization and how proposed cybersecurity investments will reduce risk to the business. Many board members may lack cybersecurity expertise, so clear communication is essential. Cybersecurity leaders need to learn how to translate technical concepts into language that business leaders can understand. They should be able to articulate the impact of cybersecurity investments on business operations and overall risk.

Technical 

  • CISOs must be technically sound and up-to-date on the latest cyber threats. They need to understand how to protect their organization from a technical perspective. This includes implementing security controls, monitoring for threats, and responding to incidents.
  • CISOs need to be able to stay ahead of the bad actors. This requires continuous learning and adaptation. They need to be proactive in their approach to security, rather than simply reacting to threats. This means using tools and techniques such as breach and attack simulations and vulnerability risk reduction to identify and mitigate risks before they can be exploited.

Managerial 

  • CISOs need to champion a security culture across the organization. This means educating employees about cybersecurity risks and best practices. It also means creating a culture where security is everyone’s responsibility.
  • Cybersecurity is a whole-of-organization issue, not just an IT issue. CISOs need cross-functional support from areas outside of IT, such as engineering, finance, legal, and HR. This requires establishing a risk-based culture across the organization. That’s why we’ve created a single, comprehensive platform to evaluate their cyber risk environment, assess internal control effectiveness, manage risk transfer, and streamline overall risk management.
  • CISOs need to build a strong team and avoid burnout. This means providing employees with the resources and support they need to do their jobs effectively. It also means creating a work environment where employees feel valued and appreciated. 
  • CISOs must look beyond the corporate network to manage risk holistically. They need to consider subsidiaries, third-party vendors, and the supply chain. This requires a collaborative approach that brings together stakeholders from across the organization. The goal is to create a unified approach to cybersecurity that ensures resilience across all aspects of the business.

This, obviously, is a lot. But CISOs who fail to embrace the evolution of the role are likely to find themselves sidelined in their organization or worse, out on their ear. A shift in business, technical, and managerial perspectives  is essential in the shift to CISO 3.0. That’s why we’ll be spending the next year exploring all of the ways the CISO role is evolving and changing as we enter the second quarter of the 21st century. 

We’ll link each new article here, so bookmark this page and check back regularly for updates on what it means to be a CISO 3.0. 

You might also like

Protecting your organization from dark web threats

As a Senior Threat Analyst at Resilience, I’ve observed firsthand how the dark web’s evolving landscape poses growing risks to organizations’ data and reputation. Threat actors are increasingly utilizing advanced tools and AI to scale operations and increase attack efficiency, creating unprecedented challenges for business security.  But what does that mean for you? Here are […]

Why the OODA loop matters for cybersecurity

In 2004 as I prepared to board a flight to Tokyo, I strolled through a bookstore in ATL’s international concourse looking for something to occupy my mind during the 14 hour flight. Just as I was about to head to my gate empty-handed, I noticed a book that I had just read a review about […]

What DeepSeek means for cyber risk

The January 20 release of DeepSeek, an open source LLM developed by a Chinese research lab, rocked both the tech world and the financial markets. The product quickly demonstrated what appears to be exponentially better energy, cost efficiency, and similar performance capabilities when compared with American-made AI products like OpenAI. It also highlighted a number […]

The importance of vendor risk reports in managing third-party risk

The cybersecurity landscape saw a significant shift in 2024, with third-party risks emerging as a major source of cyber losses. Vendor risk management is far more than a compliance checkbox—it is a vital layer of defense in today’s cybersecurity landscape. And that’s why understanding your risk exposure from vendors through vendor risk reports is so […]

Understanding identity-based attacks and how to defend against them

Breaches used to be primarily carried out via software vulnerabilities: Companies would announce a flaw, take a while to fix it, and attackers would find their way into the system using those exploits. From there they might not only steal information and assets from their primary target, but would also use their access to jump […]

Get ready for threats both old and new in 2025

It’s prediction season and while no one can see into the future, we can definitely take some educated guesses. From increasingly severe ransomware attacks to deepfakes that deceive Fortune 500 companies, we’re keeping an eye out for some major events in 2025. And while many organizations are taking steps to beef up their defenses, the […]