Strategic leadership in turbulent times: the changing role of CISOs

The role of the Chief Information Security Officer (CISO) has changed dramatically in recent years. CEOs recognise that cyber security is an increasingly crucial factor for business success; according to a recent study , 82%  of CISOs currently report directly to the CEOs, up from 47% in 2023, and attend board meetings regularly. CISOs hold a much more strategic position than in the past, as they are responsible for aligning security initiatives with business objectives. As a CISO Report shows, the primary challenge for companies, especially in the context of new technologies, is to establish a strong security culture in order to contain the increasing cyber risks. 

We asked Simon King, Head of Information Security at Infinigate,
about his experience and views on this transformation.

1. Are you currently observing any changes in responsibilities, roles, and frameworks for IT/information security? Are tasks being more aggregated or separated—possibly in light of specific regulations?

The role of the CISO has become much more strategic than in the past, bringing security initiatives in alignment with business objectives. 

There is more emphasis on risk management, assessing regulatory and governance concerns as well as the impact of security threats on business operations.  CISOs play an increasingly prominent role in disaster recovery and business continuity, dealing with crisis management and incident response for example.

Recent updates to EU-wide cybersecurity regulations, such as NIS2, DORA and the EU AI Act only emphasize the crucial role of CISOs today, as part of business leadership teams.

Given that security concerns apply beyond the IT department, it is important for CISOs to work with the whole business, across its functions and executive leadership team, delivering vital expert advice on security considerations.  CISOs can help bridge the gap between business functions when it comes to cybersecurity posture, unifying them in their approach to security risk and providing an impartial view of required security measures.

In some ways, the CISO role is becoming more integrated and holistic, for example with regard to risk management, by incorporating enterprise to cyber risk management.

2. Is there a tendency toward greater independence/responsibility for “CISO & Co.” or more toward acting as advisors/supporters of other leadership functions? What is your opinion on the potential increase in personal liability for IT security professionals? How might this impact their decision-making and behavior?

The CISO role is no longer exclusively aligned to the IT function. For many years now, CISOs have become expert advisors to the board of directors, with a distinct function and considerable specialization. The recent EU cybersecurity regulation, such as NIS2, DORA and CRA, have gained board level attention, partially on account of the personal liability business leaders now face in case of a breach, so there is a renewed interested in security strategy.

CISOs are increasingly seen as bridging that gap between technical security measures and the wider security posture of the business, tailored to its strategic goals.

The heightened concern about cybersecurity, intensified by the ever more stringent EU regulations and the personal liability for business leaders can drive CISOs to be more risk averse, adopting conservative strategies which prioritize compliance to protect themselves from potential legal repercussions.  Conversely, CISOs can react by asking for increased resources to build a robust security strategy that also drives towards compliance with regulations.  Improved cybersecurity practices can favour growth, protecting business continuity.

3. How would you assess the current or desired “level of abstraction” for CISOs and their teams? Should they operate at a more abstract or technology-neutral level, or is it (still or increasingly) necessary for them to know and implement concrete technical solutions?

It is a fine balancing act for CISOs between abstract policies and practical technology implementation. Invariably, this balance is achieved by taking into consideration the size of the organisation, the mindset of the leadership team and the type of regulations that the organisation is subject to.

With a higher level of abstraction comes the added benefit of strategic alignment with the business goals and more coherent communication with the board.  However, there is still a strong need for technical knowledge to understand and combat the threats that the organisation faces.  This is where some of the security frameworks such as NIST, CSF v2.0 or ISO27001 help to achieve the desired balance.

4. What common problems and/or challenges do you currently see for CISOs and their teams, both internally and, if applicable, externally?

The most common challenge today is building a security culture, from the leadership through to the employees.  Keeping security in the mindset can be achieved in many ways but often it is perceived more as a chore rather than an enabler.

Common challenges that CISOs face today range from securing adequate resourcing, ensuring compliance with new regulations, a wide range of risk profiles (from third parties through to event horizon risks) and the emergence of new technologies, such as AI, which are sometimes quickly embraced before the impact of their adoption is fully understood.

On a technical level, the challenge is to strike the right balance between business dynamism and a strong security posture.

5. What tips do you have for CISOs to position themselves and their security organizations optimally in today’s environment/period of change? What might key interfaces, skills, or tools look like?

The key to success is in the ability to communicate across the business, enabling understanding and adoption of the correct security posture across the company. Agile thinking is key to continually adjust to what is an ever evolving process.

A strong relationship with the leadership team is essential. This is built on providing clear reporting and guidance to ensure a thorough understanding the importance of cybersecurity, the security strategy and how it aligns and supports business goals.

Support from business leaders is necessary to driving a security culture, with employees as the eyes and the ears of the company.

Use an established security framework to drive your security agenda and regularly assess how you are aligned with it.

Embrace new technologies is important, after gaining a good understanding of their capabilities and limitations.  AI is undoubtedly having a significant impact on the cybersecurity toolset.

6. What additional changes (and potentially when) do you anticipate in this field in the future?

AI will be changing the way we work both in information security and beyond.  AI has the potential to help us to focus on clear concerns and reduce the false positives, mitigating the risk posed by alert fatigue.  AI is a double-edge sword and can be used for good and for bad ends, so it is crucial to embrace it with the right approach.

As our work force demands increased flexibility in terms of location and work tools, the move towards a zero-trust approach will accelerate.

On the horizon, the advancement of AI highlights concerns on deepfake imagery and video, especially as we spend more time on video calls. With Quantum technology gaining ground, encryption limitations will increasingly become an issue.