The Corporate CISO Role Is Evolving 

Uploaded on 2024-12-18 in FREE TO VIEW

Half a century after owning a computer became the norm for businesses, there’s still a tendency to treat a company’s Chief Information Security Officer (CISO) as a slightly eccentric backroom role, siloed away from day-to-day commercial affairs, and brought out only when something has gone wrong.

It is still assumed by many C-suites that, other than calculating the costs of IT breakdowns or cybersecurity breaches, a CISO has little to do with the commercial side of the business.

But recent events are causing those attitudes to change. The CISO is increasingly seen by the rest of the C-suite as not simply a technical or compliance position, but as a full business executive with a vital day-to-day role in a company’s commercial success. And that’s a good thing:

This reenvisaging of the CISO role will help companies better navigate the new cybersecurity threat environment and achieve key business goals.

Cyberattacks As An Ordinary Business Risk

The changing nature of the cyber threat caused this reimagining of the CISO role. Not only is there a sharp rise in the number of cyberattacks on businesses and other organisations since Russia’s invasion of Ukraine in 2022, but new threat vectors have opened up as well. 

One example of this is third-party vendors. Most businesses now have their IT systems connected to a number of third-party vendors; a commercial necessity, but one that unfortunately increases the surface area for attack, as the Progress-MOVEit breach of last year illustrated.

As a result, companies increasingly see cyberattacks simply as a cost of doing business.

Rather than trying to prevent every attack (an increasingly futile task) companies are looking for ways to mitigate and transfer this risk. As such, cyber risk is now being factored into both day-to-day business decision-making and corporate strategy.

The CISO As A Full Business Executive

In 2024, then, cyber risk can no longer be separated from a company’s everyday commercial activities and business strategy. Cyber-attacks are simply too frequent, and the surface area for attacks is too wide, for these matters to be considered in isolation any longer.

Cybersecurity for a business is increasingly a matter of trade-offs. Navigating these trade-offs demands sound judgement about what’s best overall for a particular business - something that requires both technical know-how and commercial savvy. For instance, a C-suite will have to determine how to balance, say, the commercial need for connection with third party vendors with the cybersecurity problem that this presents.

In addition, many boards now want the cyber risk they face to be quantified so they can factor this figure into their investment decisions

This re-evaluation of cyber risk is now prompting many companies to remodel their CISO role to more closely align with strategic business decision-making. For starters, an increasing number of CISOs now sit on corporate boards - rising from 14% in 2022 to 30% in 2023, according to the management consultancy Heidrick & Struggles.

This organisational change makes CISOs an ordinary part of corporate governance, helping to bring about the closer integration of cybersecurity with overall business strategy. 

The day-to-day work of CISOs is changing as well. CISOs are no longer simply reacting to cybersecurity threats. Instead, CISOs are advising C-suites on vendor risk by conducting third-party risk assessments; conducting cyber incident preparedness through training and drilling; presenting boards with a dollar value of the cyber risk that the company faces; proactively monitoring for threats; and advising them on how much they ought to invest in cybersecurity solutions. 

As cybersecurity increasingly becomes a matter of trade-offs rather than a search for perfect security, the role of the CISO is transitioning into a more holistic one.

CISOs now act collaboratively, often as a member of the board, to integrate their work into a company’s overall business strategy – offering counsel on everything from investment decisions to the selection of third-party vendors. Such an approach better reflects the new reality of the cyber threat environment, and helps businesses adapt to a world where cyber risk is simply a fact of life. 

Vishaal ‘V8’ Hariprasad is Co-founder & CEO of Resilience

Image: Unsplash 

You Might Also Read:

Inside The Mind Of A CISO:

If you like this website and use the comprehensive 7,000-plus service supplier Directory, you can get unrestricted access, including the exclusive in-depth Directors Report series, by signing up for a Premium Subscription.

  • Individual £5 per month or £50 per year. Sign Up
  • Multi-User, Corporate & Library Accounts Available on Request

Cyber Security Intelligence: Captured Organised & Accessible

 

 

 

« Diversity Is Key To Combating Gen-AI Hackers
Termite Hacked Blue Yonder  »

ManageEngine
CyberSecurity Jobsite
Check Point
Cyrin

Real Attacks. Real Tools. Real Scenarios.
Schedule a demo

Sign Up: Cyber Security Intelligence Newsletter

Directory of Suppliers

BackupVault

BackupVault

BackupVault is a leading provider of automatic cloud backup and critical data protection against ransomware, insider attacks and hackers for businesses and organisations worldwide.

CYRIN

CYRIN

CYRIN® Cyber Range. Real Tools, Real Attacks, Real Scenarios. See why leading educational institutions and companies in the U.S. have begun to adopt the CYRIN® system.

ManageEngine

ManageEngine

As the IT management division of Zoho Corporation, ManageEngine prioritizes flexible solutions that work for all businesses, regardless of size or budget.

ZenGRC

ZenGRC

ZenGRC (formerly Reciprocity) is a leader in the GRC SaaS landscape, offering robust and intuitive products designed to make compliance straightforward and efficient.

TÜV SÜD Academy UK

TÜV SÜD Academy UK

TÜV SÜD offers expert-led cybersecurity training to help organisations safeguard their operations and data.

ODVA

ODVA

ODVA is a global trade and standards development organization whose members comprise the world’s leading industrial automation companies.

Greenbone Networks

Greenbone Networks

Greenbone Networks delivers a vulnerability analysis solution for enterprise IT which includes reporting and security change management.

Executive Women's Forum (EWF)

Executive Women's Forum (EWF)

The Executive Women's Forum is the largest member organization serving emerging leaders and influential female executives in the Information Security, Risk Management and Privacy industries.

NetDiligence

NetDiligence

NetDiligence is a privately-held cyber risk assessment and data breach services company.

Grupo CFI

Grupo CFI

Grupo CFI is the largest Spanish network of data protection and cybersecurity professionals.

Deceptive Bytes

Deceptive Bytes

Deceptive Bytes provides an Active Endpoint Deception platform that dynamically responds to attacks as they evolve and changes their outcome.

CybeReady

CybeReady

CybeReady’s Autonomous Platform offers continuous adaptive training to all employees and guarantees significant reduction in organizational risk of phishing attacks.

Redstor

Redstor

Redstor's complete data management helps you discover, manage and control your data from a single control centre, unifying backup and recovery, disaster recovery, archiving and search and insight.

e360

e360

e360 (formerly Entisys360) is an award-winning IT consultancy specializing in advanced IT infrastructure, virtualization, security, automation and cloud first solutions.

Infosequre

Infosequre

Infosequre builds up your security awareness culture and turns your employees into the first line of defense against cyber risks.

Phoenix Cybersecurity

Phoenix Cybersecurity

Phoenix Cybersecurity Services and Managed Security Services help clients just like you take full advantage of leading cybersecurity technologies and industry best practices.

IQ4 - Cybersecurity Workforce Alliance (CWA)

IQ4 - Cybersecurity Workforce Alliance (CWA)

Cybersecurity Workforce Alliance, a division of iQ4, is an organization comprised of a diverse range of professionals dedicated to the development of the cybersecurity workforce.

TekSynap

TekSynap

TekSynap is a full spectrum Information Technology services provider to federal government agencies.

Astrix Security

Astrix Security

Astrix enables security teams to instantly see through the fog of connects and detect redundant, misconfigured and malicious third-party exposure to their critical systems.

Commonwealth Scientific & Industrial Research Organisation (CSIRO)

Commonwealth Scientific & Industrial Research Organisation (CSIRO)

CSIRO is Australia's national science agency. We solve the greatest challenges through innovative science and technology.

Cyber Command Pvt Ltd

Cyber Command Pvt Ltd

Cyber Command is your one-stop Cyber Security Service Provider, dedicated to delivering customized cybersecurity solutions that safeguard businesses from today's complex threat landscape.