CISOs reposition their roles for business leadership

They may have the word “security” in their title, but the mandate for today’s CISOs is to evolve from being security gatekeepers to architects of business continuity and operational resilience.

No longer are CISOs solely focused on locking down things like firewalls and conducting compliance checks. Now, they’re involved in broader conversations about business growth, digital strategy, and customer trust. They’re expected to deeply understand the business and know the company’s goals, revenue streams, and assets to prioritize security assets effectively.

Many are also overseeing IT functions to ensure alignment between security protocols and operational efficiency.

In short, instead of just saying “no” to risk, they’re assessing cyber risks in the overall business risk context, helping the organization make informed decisions about risk appetite. This requires a strategic mindset and the ability to communicate complex security issues in business-friendly terms.

As cyber threats increasingly disrupt business operations, boards now look to their security leaders not just for protection but for proactive insights that shape everything from investment decisions related to tech infrastructure to product development and data governance.

CISOs are embracing this newfound recognition of their elevated roles with gusto. Here is a look at how some CISOs have transformed themselves into more integral business leaders for their organizations.

Gaining trust with the board, other leadership

Amit Basu’s role as CISO of International Seaways has been expanded to include the titles of vice president and CIO as well. This is not surprising, he says, because Seaways’ board realizes security is woven into every business function.

“As digital transformation accelerates and cyber risk becomes a core business concern, CISOs are now expected to align security initiatives with broader organizational goals, drive resilience, and enable innovation,” Basu says. “Security requirements are now intertwined with every digital project from the conception stage, ensuring that digital investments are built with the resilience needed to deliver business value despite evolving threats. This integration elevates the CISO’s role, positioning them as a key strategic leader within the enterprise.”

International Seaways

It’s up to the CISO to gain the trust of the management team and the board so they understand that security is not an IT issue or a technical problem, Basu stresses. It requires “emotional intelligence,” as well as some boldness and visionary leadership, he says.

Basu’s dual-titled role is emblematic of a rising trend in the C-suite that sees security leaders better positioned, sometimes even than CIOs, to lead tomorrow’s tech departments.

Giving it to them straight

CISOs are now working with business leaders and boards to ensure that cybersecurity considerations are embedded into every issue, Basu says. “And, they have become translators for articulating the complex technology risks in business terms that resonate with senior leadership.”

When CISOs communicate effectively, or have what Basu calls “a storytelling skill,” that elevates them from an operational manager to a trusted advisor and a strategy leader.

Communication is a key strategy for building trust and influence across the organization, agrees Gaurav Kapil, senior vice president and CISO at financial services firm Bread Financial.

“The CISOs of the present and the future need to get out of being just technologists and build their influence muscle as well as their communication muscle,” Kapil says. They need to be able to “relay the technology and cyber messaging in words and meanings where a non-technologist actually understands why we’re doing what we’re doing.”

For example, a CISO saying, “I need to implement a new vulnerability management capability,” doesn’t mean anything to businesspeople, Kapil notes. “But translating that into the value it provides to the organization and the benefits it provides, the risk it reduces, the business it enables — all those mechanisms enable the CISO to build their trust vault.” This needs to be a continuous exercise, he adds. “It’s not transactional but more of a value- based conversation.”

Having risk rather than cyber conversations

Bread Financial holds a lot of personally identifiable information (PII) for millions of customers, and it goes without saying that it needs to be protected. Naturally, the business cares about abiding by all the regulatory requirements a financial services firm is subject to, Kapil says, but he needs to always be thinking beyond that, especially when it comes to the implications of this PII being leveraged in an unauthorized way.

“Talking about encryption and tokenization is not really going to help the business,” he says. “But talking about, ‘If we do not secure the information and its access for unauthorized purposes, here are the implications,’” including loss of customer confidence, regulatory fines and additional oversight, and reputational loss — “those are the kinds of things the business cares about more.”

Bread Financial

Further, instead of playing “a policing role,” CISOs need to think artfully about forming more influential relationships; and instead of having cyber conversations, have risk conversations, Kapil says.

That notion of transforming one’s mindset into that of a risk officer is something many CISOs see as a future foundation of the top security officer role.

“In my role, I partnered with my peers across technology from a product development [and] platform perspective, from a cyber risk or a tech risk perspective, where we partner with my enterprise risk leaders” and have more risk conversations discussing the “why,” and the value something will bring to the organization, Kapil says.

As the conversation shifts, Kapil has become adept at identifying the big “risk blocks in our portfolio,” and weighing those against business priorities, which also adds value to the role, he says.

“Otherwise, if you’re just solving for the next thing, we’re not really being risk aware, and we’re just doing things for the sake of doing things, which is not the best way of operating,” he adds.

Becoming an enabling CISO

In 2018, a CISO report from Synopsys identified four different types of CISO “tribes,” each with its own distinct characteristics. Chad LeMaire, deputy CISO at NDR platform provider ExtraHop, and currently interim CISO, characterizes himself as an enabler CISO.

“CISOs who are enablers can have the greatest impact on the business because they understand the business objectives,” LeMaire explains. “I like to say we don’t do cybersecurity for cybersecurity’s sake. … Ultimately, we do cybersecurity to contribute to the goals, missions, and objectives of the greater organization. When you’re an enabler that’s what you’re doing.”

ExtraHop

There is security risk and there is enterprise risk, and the CISO has become the “linchpin that ties all the departments together as we identify risk,” says LeMaire.

Charged with managing enterprise risk along with security operations, LeMaire works with other departments and in tandem with ExtraHop’s CIO to develop a risk matrix score and formulate plans to mitigate risk. “Then you’re left with what is referred to as ‘residual risk,’ that focuses on risk to the organization,” he says. This is not necessarily security focused, he says, because it affects all departments, but CISOs are involved with broader risk management.

CISOs are now also more frequently responsible for operational planning, which encompasses business impact analysis and creating disaster recovery and incident response plans, LeMaire says. They must coordinate tabletop exercises so when something happens, everyone knows what the plan is and what their role is to ensure the business continues to operate.

“It’s greater than cybersecurity at that point,” he says. “Contingency could be a disaster that is not related to cybersecurity — but there are cybersecurity impacts based on certain disasters.”

Bread Financial’s Kapil is also responsible for business continuity and disaster recovery. That, coupled with a whole host of other functions enables him to set the right agenda for the cyber organization, build the right architecture to support cyber strategies, implement a zero trust environment, and ensure anomalous activities are monitored in real-time. Having a breadth of responsibilities, Kapil says, enables him to run a safe and secure organization.

Helping the organization recognize that cyber needs to transform, too

Like many organizations, Bread Financial is in the midst of a business and digital transformation. Kapil believes strongly that the security organization also has to transform.

“A tech transformation cannot be successful without a cyber transformation as well,” he says. To do this successfully requires Kapil to think outside the box and align the IT and cyber practices that will enable the company to be a tech-forward financial services organization.

“We can’t afford to just be cyber technologists. We’ve got to get out of our box and speak the language of risk, speak the value, the language of our finance partners,” Kapil says. It’s up to the CISO to make the CFO understand why security has the budget it has and the value the organization provides.

“We’re leveraging tech and cyber to enable the business, enable the partners, and ensuring that this business platform continues to be a safe and secure operating platform. That is key to the underlying message,” he says.

A business-focused title emerges

With CISOs repositioning their roles and in recognition of how integral security has become to the business, some larger organizations are now adding business information security officers (BISOs) to their leadership teams. A BISO is embedded into the business and understands and aligns with strategic priorities and risk frameworks, says Michael Petrik, securities industry risk group associate at FS-ISAC, which has developed a BISO Program and Role White Paper for the financial sector.

The BISO role emerged to bridge the gap between business objectives and cybersecurity oversight that has existed in many companies, Petrik says.

“By acting as a liaison between business, technology, and cybersecurity teams, the BISO ensures that security measures are aligned with business strategies and integrated effectively,” he says. Digital transformation, emerging technologies, and rapid innovation are business mandates, and security teams add value and manage risk better when they are involved before a platform is selected or implemented, he says.

A BISO should be viewed as a complement to a CISO — not a replacement, Petrik stresses.

CISOs have a widening set of responsibilities including enterprise-wide cybersecurity strategies, establishing policies, and managing overarching cyber risk. The BISO is an extension of the role by translating technical security knowledge into core business applications, Petrik says.

As CISOs look to reposition their roles for more business-centric responsibilities, they can utilize BISOs to help them gain greater visibility, more agility, and improved alignment across the organization, Petrik says.