April 2, 2024 By Jennifer Gregory 3 min read

In many organizations, the Chief Information Security Officer (CISO) focuses mainly — and sometimes exclusively — on cybersecurity. However, with today’s sophisticated threats and evolving threat landscape, businesses are shifting many roles’ responsibilities, and expanding the CISO’s role is at the forefront of those changes. According to Gartner, regulatory pressure and attack surface expansion will result in 45% of CISOs’ remits expanding beyond cybersecurity by 2027.

With the scope of a CISO’s responsibilities changing so quickly, how will the role adapt to meet the cyber challenges of the future?

The CISO’s role in the past

Steve Katz became the world’s first CISO when he took the position at Citicorp/Citigroup in 1995. From the beginning of his CISO journey, Katz realized that the role was not just an IT position; it was about serving the business by reducing risk. In the following years, other organizations added this new position, with the CISO reporting to the CIO in most organizational structures. While many CISOs recognized the true nature of their role, the rest of their organizations were often not on the same page.

In time, CISOs found themselves managing issues outside their organizations, such as building partnerships, working with suppliers and managing external data transmissions. However, many organizations felt the role still primarily remained in the IT realm, with the foremost responsibility of keeping the business from making headlines due to a major cybersecurity breach or attack. This meant that many CISOs mainly focused on compliance and risk management.

The role of CISOs today

In recent years, the CISO role has taken another significant shift in the face of increasing cyberattacks and the growing risks of business disruption, fines and reputational damage. According to Splunk’s CISO Report, 86% of those surveyed say that the role has changed so much since they became a CISO that it’s almost a different job. The role has moved from primarily being a technical role to more of a business leader.

Instead of implementing cybersecurity, CISOs now focus on helping the organization’s leaders understand the importance of cybersecurity and lead the strategic thought for the organization’s cyber strategy. CISOs bridge the gap between the technical language that comes easily to the IT department and the business language of senior leadership.

This shift also caused a reshaping of the organizational structure, with 47% of CISOs now reporting directly to their CEO, according to the Splunk report. By having the CISO answer to the CEO instead of the CIO, the organization illustrates the importance of cybersecurity as a key priority. Additionally, CISOs now have a bigger influence with a seat at the executive table and, often, even on the board of directors.

Future predictions for the CISO role

Cybersecurity experts debate whether the role of CISO should focus on business or technology. As we move forward, the answer will solidly fall into the middle. More than ever before, today’s successful CISOs must possess a rare blend of both technical and business acumen to truly succeed at the role.

Instead of simply helping the organization speak a common language in terms of cybersecurity and risk, the CISO will take a larger leadership role, owning the cybersecurity strategy for the entire organization. With the increased profile and responsibility, other employees will also realize the importance of cybersecurity in organizations.

As one of the newer executive roles, only existing for the past few decades, the CISO has evolved considerably since Katz made the news. As threats grow more sophisticated and businesses become increasingly digital, the business disruption of cybersecurity attacks often affects every aspect of a company. Organizations that realize the increased importance of cybersecurity and evolve their CISO role can create a culture where every employee and executive views cybersecurity as their job.

More from CISO

Making smart cybersecurity spending decisions in 2025

4 min read - December is a month of numbers, from holiday countdowns to RSVPs for parties. But for business leaders, the most important numbers this month are the budget numbers for 2025. With cybersecurity a top focus for many businesses in 2025, it is likely to be a top-line item on many budgets heading into the New Year.Gartner expects that cybersecurity spending is expected to increase 15% in 2025, from $183.9 billion to $212 billion. Security services lead the way for the segment…

On holiday: Most important policies for reduced staff

4 min read - On Christmas Eve, 2023, the Ohio State Lottery had to shut down some of its systems because of a cyberattack. Around the same time, the Dark Web had a “Leaksmas” event, where cyber criminals shared stolen information for free as a holiday gift. In fact, the month of December 2023 saw more than 2 billion records breached and 1,351 disclosed security incidents, according to research from IT Governance — an increase of 332% and 187%, respectively, over the month of…

Overheard at RSA Conference 2024: Top trends cybersecurity experts are talking about

4 min read - At a brunch roundtable, one of the many informal events held during the RSA Conference 2024 (RSAC), the conversation turned to the most popular trends and themes at this year’s events. There was no disagreement in what people presenting sessions or companies on the Expo show floor were talking about: RSAC 2024 is all about artificial intelligence (or as one CISO said, “It’s not RSAC; it’s RSAI”). The chatter around AI shouldn’t have been a surprise to anyone who attended…

Topic updates

Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today