The Corporate CISO Role Is Evolving 

Uploaded on 2024-12-18 in FREE TO VIEW

Half a century after owning a computer became the norm for businesses, there’s still a tendency to treat a company’s Chief Information Security Officer (CISO) as a slightly eccentric backroom role, siloed away from day-to-day commercial affairs, and brought out only when something has gone wrong.

It is still assumed by many C-suites that, other than calculating the costs of IT breakdowns or cybersecurity breaches, a CISO has little to do with the commercial side of the business.

But recent events are causing those attitudes to change. The CISO is increasingly seen by the rest of the C-suite as not simply a technical or compliance position, but as a full business executive with a vital day-to-day role in a company’s commercial success. And that’s a good thing:

This reenvisaging of the CISO role will help companies better navigate the new cybersecurity threat environment and achieve key business goals.

Cyberattacks As An Ordinary Business Risk

The changing nature of the cyber threat caused this reimagining of the CISO role. Not only is there a sharp rise in the number of cyberattacks on businesses and other organisations since Russia’s invasion of Ukraine in 2022, but new threat vectors have opened up as well. 

One example of this is third-party vendors. Most businesses now have their IT systems connected to a number of third-party vendors; a commercial necessity, but one that unfortunately increases the surface area for attack, as the Progress-MOVEit breach of last year illustrated.

As a result, companies increasingly see cyberattacks simply as a cost of doing business.

Rather than trying to prevent every attack (an increasingly futile task) companies are looking for ways to mitigate and transfer this risk. As such, cyber risk is now being factored into both day-to-day business decision-making and corporate strategy.

The CISO As A Full Business Executive

In 2024, then, cyber risk can no longer be separated from a company’s everyday commercial activities and business strategy. Cyber-attacks are simply too frequent, and the surface area for attacks is too wide, for these matters to be considered in isolation any longer.

Cybersecurity for a business is increasingly a matter of trade-offs. Navigating these trade-offs demands sound judgement about what’s best overall for a particular business - something that requires both technical know-how and commercial savvy. For instance, a C-suite will have to determine how to balance, say, the commercial need for connection with third party vendors with the cybersecurity problem that this presents.

In addition, many boards now want the cyber risk they face to be quantified so they can factor this figure into their investment decisions

This re-evaluation of cyber risk is now prompting many companies to remodel their CISO role to more closely align with strategic business decision-making. For starters, an increasing number of CISOs now sit on corporate boards - rising from 14% in 2022 to 30% in 2023, according to the management consultancy Heidrick & Struggles.

This organisational change makes CISOs an ordinary part of corporate governance, helping to bring about the closer integration of cybersecurity with overall business strategy. 

The day-to-day work of CISOs is changing as well. CISOs are no longer simply reacting to cybersecurity threats. Instead, CISOs are advising C-suites on vendor risk by conducting third-party risk assessments; conducting cyber incident preparedness through training and drilling; presenting boards with a dollar value of the cyber risk that the company faces; proactively monitoring for threats; and advising them on how much they ought to invest in cybersecurity solutions. 

As cybersecurity increasingly becomes a matter of trade-offs rather than a search for perfect security, the role of the CISO is transitioning into a more holistic one.

CISOs now act collaboratively, often as a member of the board, to integrate their work into a company’s overall business strategy – offering counsel on everything from investment decisions to the selection of third-party vendors. Such an approach better reflects the new reality of the cyber threat environment, and helps businesses adapt to a world where cyber risk is simply a fact of life. 

Vishaal ‘V8’ Hariprasad is Co-founder & CEO of Resilience

Image: Unsplash 

You Might Also Read:

Inside The Mind Of A CISO:

If you like this website and use the comprehensive 7,000-plus service supplier Directory, you can get unrestricted access, including the exclusive in-depth Directors Report series, by signing up for a Premium Subscription.

  • Individual £5 per month or £50 per year. Sign Up
  • Multi-User, Corporate & Library Accounts Available on Request

Cyber Security Intelligence: Captured Organised & Accessible

 

 

 

« Diversity Is Key To Combating Gen-AI Hackers
Termite Hacked Blue Yonder  »

CyberSecurity Jobsite
Perimeter 81
Cyrin

Real Attacks. Real Tools. Real Scenarios.
Schedule a demo

Sign Up: Cyber Security Intelligence Newsletter

Directory of Suppliers

IT Governance

IT Governance

IT Governance is a leading global provider of information security solutions. Download our free guide and find out how ISO 27001 can help protect your organisation's information.

Authentic8

Authentic8

Authentic8 transforms how organizations secure and control the use of the web with Silo, its patented cloud browser.

Practice Labs

Practice Labs

Practice Labs is an IT competency hub, where live-lab environments give access to real equipment for hands-on practice of essential cybersecurity skills.

Directory of Cyber Security Suppliers

Directory of Cyber Security Suppliers

Our Supplier Directory lists 7,000+ specialist cyber security service providers in 128 countries worldwide. IS YOUR ORGANISATION LISTED?

XYPRO Technology

XYPRO Technology

XYPRO is the market leader in HPE Non-Stop Security, Risk Management and Compliance.

IoT European Research Cluster (IERC)

IoT European Research Cluster (IERC)

IERC brings together EU-funded projects with the aim of defining a common vision for IoT technology and development research challenges.

Ceerus

Ceerus

Ceerus was created to simplify the process of deploying and managing security across all the channels in an organisation.

Real Random

Real Random

Real Random is on a mission to enhance existing and new crypto-systems with its revolutionary solution to generating numbers that are Truly Random.

Gulf Computer Services Co (GCSC)

Gulf Computer Services Co (GCSC)

Gulf Computer Services is a major player in the field of networking & Communication solutions for emerging industries such as Internet Services and Information Technology in Saudi Arabia.

PureCyber

PureCyber

PureCyber (formerly Wolfberry Cyber) is an award-winning cyber security consultancy whose goal it is to make cyber security accessible, understandable, and affordable for any organisation.

Acceptto

Acceptto

Acceptto offers the first unified and continuous authentication identity access platform with No-Password.

SecureStack

SecureStack

SecureStack helps software developers find security & scalability gaps in their web applications and offers ways to fix those gaps without forcing those developers to become security experts.

Strike Graph

Strike Graph

The Strike Graph GRC platform enables Security Audits & Certifications.

IQ4 - Cybersecurity Workforce Alliance (CWA)

IQ4 - Cybersecurity Workforce Alliance (CWA)

Cybersecurity Workforce Alliance, a division of iQ4, is an organization comprised of a diverse range of professionals dedicated to the development of the cybersecurity workforce.

Larsen & Toubro Infotech (LTI)

Larsen & Toubro Infotech (LTI)

LTI is a global technology consulting and digital solutions company with operations in 33 countries.

Profian

Profian

Profian’s hardware-based solutions maintain your data's confidentiality and integrity in use, providing true confidential computing to meet regulatory and audit requirements.

Rimstorm

Rimstorm

Rimstorm’s mission is to significantly improve the security of your data using award-winning, state-of-the-art technology combined with cyber managed security services.

Secrutiny

Secrutiny

Scrutiny's core services include Cyber Maturity, Cyber Risk Analyser, Cyber Controls, Incident Response, SOC, Cyber Recovery and Assurance Testing.

CSIR Information & Cybersecurity Research Centre

CSIR Information & Cybersecurity Research Centre

The CSIR Information & Cybersecurity Research Centre focuses on research, development, and innovation of home-grown cyber and information security.

Treacle Technologies

Treacle Technologies

Treacle Technologies are a Cyber Security startup with a focus on Defensive Security.

Airbus Protect

Airbus Protect

Airbus Protect is an Airbus subsidiary bringing together the Company’s expertise in cybersecurity, safety and sustainability-related services.