The evolving role of the CISO: From tech expert to business partner

John E. Kaye
- Published
- Cybersecurity, Technology

Rethinking cybersecurity leadership in a shifting threat landscape
By Paul Watts, CISO Leadership and Strategy Advisory and Distinguished Analyst, Information Security Forum

Last year, 343 million people were victims of data breaches, costing business $4.88 million on average; the costliest cybercrime is business email compromise, accounting for $3 billion in losses. And yet, only six percent of CEOs view cybersecurity as a top priority. The fact is, there’s always been a misalignment between the business and security leadership over cybersecurity resilience.
On the surface, the poor perception of cybersecurity business value seems like a communication issue. Most CISOs struggle to speak the language of business while non-technical leadership struggles to grasp technical jargon. Looking at the problem more closely, the issue may be more deeply rooted in the structure of traditional cybersecurity teams and security leadership roles.
Hub-and-Spoke Centralised Operation Model No Longer Fit For Purpose
Most cybersecurity teams began as transactional, service-oriented functions, taking orders from IT teams or the business. But as these functions evolve and become more independent (particularly in large organisations), they take on a more centralised role wherein it is assumed that their job is to enact risk management and have oversight across every single business aspect and process. Whilst CISOs believe they are helping to protect the business the perception or image can in fact be the opposite — 43% of boards see CISOs as being too repetitive, nagging, or overly negative.
The truth is that everyday security, compliance, and oversight activities can be so overwhelming and burdensome for CISOs that they end up spreading themselves too thin losing sight of business priorities and direction. Eventually the relationship between security and business teams suffers, and perceived value reduces.
The CISO Moniker Is Also Being Abused
There has always been misconceptions and confusions around what CISOs actually do and what is expected of them. For example, there’s a 35% rise in CISO roles being filled without organisations fully understanding what their roles entail.
Some CISOs don a flashy title but oversee only a small aspect of security functions; some CISOs have limited influence and are not included in strategic decisions; some CISOs are simply hired to meet compliance or regulatory mandates, such as the SEC Cyber Disclosure requirement. This abuse of the CISO moniker along with its confused remit does little to promote net worth in a disengaged business and boardroom.
Decentralising Cybersecurity with a BISO
A majority of recently surveyed CISOs (84%) believe that the CISO role should be split into two functions – business and technical. However, the reality is that modern CISOs need to spend an increasing proportion of their time working with business leadership, developing valuable security strategies that align to business objectives whilst ensuring the business stays abreast of risks, threats, regulations and compliance.
An emergent new role – the Business Information Security Officer (BISO) role – is helping CISOs to achieve this, focusing on forging closer bonds with regional and business teams, designing the right security value proposition that supports strategic or departmental objectives.
The BISO also serves as the arms and legs of a CISO, driving the execution of security strategies across the business and feeding the CISO with much-needed business insights and inputs. These inputs enable CISOs to better align security strategy with the business strategy and break down communication barriers between business and cybersecurity teams.
The decision to onboard a BISO eventually comes down to the scale of a security team and the organisation’s geographical distribution. CISOs of smaller businesses can consider breeding “security champions” in the first instance — aligning cybersecurity closer to the business itself, which may start to deliver the progressive changes required to organisational security culture. That said, it’s not just the responsibility of the CISO to understand the business better; it’s equally important for business leaders to take deeper interest in the cybersecurity strategy. Having transparency about the CISO’s role is crucial to ensure CISOs are set up for success and can effectively manage risks and drive security resilience across the organisation.
Further information
www.securityforum.org/meet-the-experts/paul-watts
RECENT ARTICLES
-
How a tiny Black Forest village became a global watchmaking powerhouse
-
AI is powering the most convincing scams you've ever seen
-
British firm Skyral to help Mongolia tackle pollution with AI traffic modelling
-
The nuclear medicine breakthrough transforming cancer care
-
Second to none: the watchmaker who redefined time for women
-
How AI agents are supercharging cybercrime
-
The CEO making culture the driving force for innovation
-
Penelope J. Corfield on the secret gestures that shape society
-
In Africa, hepatitis B is a silent killer. And a $1 test could stop it
-
'Our real rivals are TikTok and Netflix’ – iGaming firm Soft2Bet sets out strategy for global expansion
-
AI agents are just the start. Here’s what comes next
-
Why cybersecurity deserves a place in the political spotlight
-
Outpacing cyber threats, winning the race
-
Who is really cutting emissions? These satellites will tell us
-
New Science Matters supplement out now — Europe’s boldest ideas in one place
-
New app reveals hidden health risks in everyday foods
-
Alzheimer’s vaccine enters human trials aiming to stop disease before symptoms begin
-
US researchers develop storm-resistant drone to improve extreme weather forecasting
-
Robot folds 800 napkins in 24 hours as Dyna Robotics launches first commercial-ready embodied AI
-
New breast cancer radiotherapy technology launches in Europe
-
Blockchain boom could create over 1 million jobs by 2030, new report claims
-
Why modern computer games aren’t a patch on the classics
-
Watch: Robotic bellboys checking in to a hotel near you soon
-
Soft2Bet reflects on eight years of leadership and philanthropy in new film featuring CEO Uri Poliavich
-
Late Star Trek creator’s family donates $1M to heart disease research