The Corporate CISO Role Is Evolving 

Uploaded on 2024-12-18 in FREE TO VIEW

Half a century after owning a computer became the norm for businesses, there’s still a tendency to treat a company’s Chief Information Security Officer (CISO) as a slightly eccentric backroom role, siloed away from day-to-day commercial affairs, and brought out only when something has gone wrong.

It is still assumed by many C-suites that, other than calculating the costs of IT breakdowns or cybersecurity breaches, a CISO has little to do with the commercial side of the business.

But recent events are causing those attitudes to change. The CISO is increasingly seen by the rest of the C-suite as not simply a technical or compliance position, but as a full business executive with a vital day-to-day role in a company’s commercial success. And that’s a good thing:

This reenvisaging of the CISO role will help companies better navigate the new cybersecurity threat environment and achieve key business goals.

Cyberattacks As An Ordinary Business Risk

The changing nature of the cyber threat caused this reimagining of the CISO role. Not only is there a sharp rise in the number of cyberattacks on businesses and other organisations since Russia’s invasion of Ukraine in 2022, but new threat vectors have opened up as well. 

One example of this is third-party vendors. Most businesses now have their IT systems connected to a number of third-party vendors; a commercial necessity, but one that unfortunately increases the surface area for attack, as the Progress-MOVEit breach of last year illustrated.

As a result, companies increasingly see cyberattacks simply as a cost of doing business.

Rather than trying to prevent every attack (an increasingly futile task) companies are looking for ways to mitigate and transfer this risk. As such, cyber risk is now being factored into both day-to-day business decision-making and corporate strategy.

The CISO As A Full Business Executive

In 2024, then, cyber risk can no longer be separated from a company’s everyday commercial activities and business strategy. Cyber-attacks are simply too frequent, and the surface area for attacks is too wide, for these matters to be considered in isolation any longer.

Cybersecurity for a business is increasingly a matter of trade-offs. Navigating these trade-offs demands sound judgement about what’s best overall for a particular business - something that requires both technical know-how and commercial savvy. For instance, a C-suite will have to determine how to balance, say, the commercial need for connection with third party vendors with the cybersecurity problem that this presents.

In addition, many boards now want the cyber risk they face to be quantified so they can factor this figure into their investment decisions

This re-evaluation of cyber risk is now prompting many companies to remodel their CISO role to more closely align with strategic business decision-making. For starters, an increasing number of CISOs now sit on corporate boards - rising from 14% in 2022 to 30% in 2023, according to the management consultancy Heidrick & Struggles.

This organisational change makes CISOs an ordinary part of corporate governance, helping to bring about the closer integration of cybersecurity with overall business strategy. 

The day-to-day work of CISOs is changing as well. CISOs are no longer simply reacting to cybersecurity threats. Instead, CISOs are advising C-suites on vendor risk by conducting third-party risk assessments; conducting cyber incident preparedness through training and drilling; presenting boards with a dollar value of the cyber risk that the company faces; proactively monitoring for threats; and advising them on how much they ought to invest in cybersecurity solutions. 

As cybersecurity increasingly becomes a matter of trade-offs rather than a search for perfect security, the role of the CISO is transitioning into a more holistic one.

CISOs now act collaboratively, often as a member of the board, to integrate their work into a company’s overall business strategy – offering counsel on everything from investment decisions to the selection of third-party vendors. Such an approach better reflects the new reality of the cyber threat environment, and helps businesses adapt to a world where cyber risk is simply a fact of life. 

Vishaal ‘V8’ Hariprasad is Co-founder & CEO of Resilience

Image: Unsplash 

You Might Also Read:

Inside The Mind Of A CISO:

If you like this website and use the comprehensive 7,000-plus service supplier Directory, you can get unrestricted access, including the exclusive in-depth Directors Report series, by signing up for a Premium Subscription.

  • Individual £5 per month or £50 per year. Sign Up
  • Multi-User, Corporate & Library Accounts Available on Request

Cyber Security Intelligence: Captured Organised & Accessible

 

 

 

« Diversity Is Key To Combating Gen-AI Hackers
Termite Hacked Blue Yonder  »

ManageEngine
CyberSecurity Jobsite
Check Point
Cyrin

Real Attacks. Real Tools. Real Scenarios.
Schedule a demo

Sign Up: Cyber Security Intelligence Newsletter

Directory of Suppliers

Syxsense

Syxsense

Syxsense brings together endpoint management and security for greater efficiency and collaboration between IT management and security teams.

XYPRO Technology

XYPRO Technology

XYPRO is the market leader in HPE Non-Stop Security, Risk Management and Compliance.

Tines

Tines

The Tines security automation platform helps security teams automate manual tasks, making them more effective and efficient.

TÜV SÜD Academy UK

TÜV SÜD Academy UK

TÜV SÜD offers expert-led cybersecurity training to help organisations safeguard their operations and data.

The PC Support Group

The PC Support Group

A partnership with The PC Support Group delivers improved productivity, reduced costs and protects your business through exceptional IT, telecoms and cybersecurity services.

NuHarbor Security

NuHarbor Security

NuHarbor is a leading information security consulting and advisory firm specializing in Information Security, Compliance, and Risk Management.

Capita

Capita

Capita is a consulting, digital services and software business, providing end-to-end enterprise IT services and solutions focused around digital transformation and innovation.

Backup112

Backup112

Backup112 has been delivering professional cloud backup services since 2004.

Global Forum on Cyber Expertise (GFCE)

Global Forum on Cyber Expertise (GFCE)

GFCE is a global platform for countries, international organizations and private companies to exchange best practices and expertise on cyber capacity building.

Plixer

Plixer

Plixer delivers a network traffic analytics system used for monitoring, visualization, and reporting of network and security incidents.

Online Business Systems

Online Business Systems

Online Business Systems is an information technology and business consultancy. We design improved business processes enabled with robust and secure information systems.

Datec PNG

Datec PNG

Datec is the the largest end-to-end information and communications technology solutions and services provider in Papua New Guinea.

Wolf Hill Group

Wolf Hill Group

Wolf Hill Group, a Slone Partners company, is a national recruitment firm focused on Cybersecurity.

Navisite

Navisite

Navisite is a combination of eight respected IT consulting and managed service providers that were brought together under the Navisite brand.

NetBlocks

NetBlocks

NetBlocks is a global internet monitor working at the intersection of digital rights, cyber-security and internet governance.

SubCom

SubCom

How Much Do You Trust Your Endpoint? With our ‘Habituation Neural Fabric’ based endpoint security platform, you can observe and manage the Trust Score of your endpoints in real-time.

NetRise

NetRise

NetRise was founded as a direct result of the many shortcomings currently in the device security market, specifically targeting the firmware of devices.

ActiveFence

ActiveFence

ActiveFence enables Trust & Safety teams to be proactive about online integrity so they can keep their users safe from online harm – across content formats, languages, and abuse areas.

Orca Technology

Orca Technology

Orca is a UK-based Managed Service Provider delivering end-to-end managed IT services, support, hosted desktop, cloud solutions and strategic guidance.

Manifest

Manifest

Manifest is a cybersecurity company dedicated to helping enterprises secure their software supply chains.

Taktika

Taktika

Taktika stands at the forefront of cybersecurity defense, offering cutting-edge integration and managed Security Operations Center (SOC) services.