Rethinking the role of cybersecurity in modern business leadership
The Chief Information Security Officer (CISO) has traditionally been seen as someone who worked behind the scenes, focused on technical details and making sure the company’s network, applications, and data were safe. They were known and appreciated for their tech skills, but maybe not so much their business skills.
The CISO of the past was there to defend, defend, defend, but the role is rapidly changing. CISOs are increasingly acknowledged as essential business leaders who make an increasing number of business-critical decisions around both safety and operations while also managing a team in a high-burnout field. This shift is largely driven by the growing importance of cyber resilience in the face of increasingly sophisticated and frequent cyber threats.
Cyber attacks are common and inevitable
The frequency of cyber attacks rises each year and the manner of attacks changes. For example, we’ve seen a marked increase in business interruption to major organizations via attacks on the third-party vendors that they rely on, as seen in the 2024 Change Healthcare breach. Change’s parent company, UnitedHealth Group (as well as other insurers who contract with the clearinghouse), took major hits to business operations during and after their $22 million ransomware attack.
As a result, businesses are starting to understand that cyberattacks are an unavoidable cost of doing business. Instead of trying to prevent every attack, companies are shifting their focus to stopping attacks that can cause the greatest losses. Similarly, they are focusing their mitigation and risk transfer strategies accordingly placing cyber risk at the center of decision making.
CISO 3.0
These changes are leading CISOs to redefine their role to be more closely aligned with strategic decision-making across the business. One clear indication of this shift is the rising number of CISOs holding positions on corporate boards, increasing from 14% in 2022 to 30% in 2023, according to a survey by consulting firm Heidrick and Struggles. This reflects a recognition that cybersecurity is an essential part of good corporate governance, and that CISOs need to be involved in strategic discussions at the highest level.
If CISO 1.0 was all about the emergence of cybersecurity as a critical function distinct from IT, and CISO 2.0 was characterized by the emergence of the CISO as a key figure in the health of the business, CISO 3.0 as we will outline here, is characterized by the evolution of the role from purely technical to a business-minded executive focused on cyber risk as a financial problem. The role is evolving along business, technical, and managerial foci.
Business
- Cybersecurity is fundamentally a financial decision. CISOs need to understand the financial implications of cyber risk and be able to translate technical vulnerabilities into financial impacts. They also need a way to quantify and articulate the value of cybersecurity investments in a language that resonates with financial decision-makers. They can use tools such as Resilience’s Edge Engagement Summary, which quantifies risk reduction in financial terms.
- Cybersecurity is a business enabler, not just a cost center. CISOs can elevate cybersecurity to a strategic asset that drives business growth. To do this, they need to be able to communicate effectively with the board of directors and executives. They must be able to articulate the value of cybersecurity investments and how they support business goals.
- CISOs must speak the language of business when communicating with their boards of directors. When communicating cybersecurity needs with a board, it is important to frame the conversation in business terms rather than technical details. The focus should be on the return on investment for the organization and how proposed cybersecurity investments will reduce risk to the business. Many board members may lack cybersecurity expertise, so clear communication is essential. Cybersecurity leaders need to learn how to translate technical concepts into language that business leaders can understand. They should be able to articulate the impact of cybersecurity investments on business operations and overall risk.
Technical
- CISOs must be technically sound and up-to-date on the latest cyber threats. They need to understand how to protect their organization from a technical perspective. This includes implementing security controls, monitoring for threats, and responding to incidents.
- CISOs need to be able to stay ahead of the bad actors. This requires continuous learning and adaptation. They need to be proactive in their approach to security, rather than simply reacting to threats. This means using tools and techniques such as breach and attack simulations and vulnerability risk reduction to identify and mitigate risks before they can be exploited.
Managerial
- CISOs need to champion a security culture across the organization. This means educating employees about cybersecurity risks and best practices. It also means creating a culture where security is everyone’s responsibility.
- Cybersecurity is a whole-of-organization issue, not just an IT issue. CISOs need cross-functional support from areas outside of IT, such as engineering, finance, legal, and HR. This requires establishing a risk-based culture across the organization. That’s why we’ve created a single, comprehensive platform to evaluate their cyber risk environment, assess internal control effectiveness, manage risk transfer, and streamline overall risk management.
- CISOs need to build a strong team and avoid burnout. This means providing employees with the resources and support they need to do their jobs effectively. It also means creating a work environment where employees feel valued and appreciated.
- CISOs must look beyond the corporate network to manage risk holistically. They need to consider subsidiaries, third-party vendors, and the supply chain. This requires a collaborative approach that brings together stakeholders from across the organization. The goal is to create a unified approach to cybersecurity that ensures resilience across all aspects of the business.
This, obviously, is a lot. But CISOs who fail to embrace the evolution of the role are likely to find themselves sidelined in their organization or worse, out on their ear. A shift in business, technical, and managerial perspectives is essential in the shift to CISO 3.0. That’s why we’ll be spending the next year exploring all of the ways the CISO role is evolving and changing as we enter the second quarter of the 21st century.
We’ll link each new article here, so bookmark this page and check back regularly for updates on what it means to be a CISO 3.0.