The CISO Transformation – A Path to Business Leadership

The Chief Information Security Officer (CISO) position is on the precipice of transformation! The CISO role has dramatically changed over the years as the demands have significantly grown and expanded, elevating what was once a support function buried in IT to a high-profile role that regularly provides reports and updates to the Board of Directors. The Traditional CISO is becoming outdated and not on a trajectory for success. A transformation is needed.

The business impacts, visibility, regulatory requirements, shareholder expectations, growing threat actors, and reliance on new digital solutions have fueled the importance of cybersecurity and specifically, its leadership. Cybersecurity is now highlighted and considered one of the important aspects of business success!

Lessons from the CIO Evolution

A decade ago, CIOs underwent a similar transformation as digital technology became a dominant force in business strategy. There are valuable lessons to be learned from that journey.

I recently had a great conversation with Tim Crawford, an amazing IT leader who spearheaded the transformation of the CIO role many years ago. I found his article from 2017 “The Difference between the Traditional CIO and the Transformational CIO” to be eerily relevant to the current CISO situation. Tim emphasized that successful transformation begins with redefining the role’s characteristics, enabling leaders to see the necessity for change and its benefits. Only then, will the industry truly transform in meaningful ways at scale.

The Traditional CISO: A Model in Decline

Traditional CISOs are often technical experts, who focus on tactical activities to eliminate risks and prevent cyberattacks. They tend to operate in a silo, in many cases reporting to the CIO or CTO and inheriting their goals. The organization is designed for operational functionality, and optimized to react to new vulnerabilities, attacks, incidents, and risks. Their interaction with the broader C-suite community is inconsistent and exposure to the board is limited.

CISOs often struggle to communicate with CEOs and Boards. Many CISOs and board members have admitted great frustrations in collaborating in efficient and productive ways – citing a lack of common language or expectations. Ironically, both sides have expressed concerns over misunderstandings, lack of support, poor collaboration, and surprises of unacceptable risks – which in turn have led to increased stress, a loss of confidence in cybersecurity leadership, and sometimes mutual animosity.

The majority of CISOs possess a strong technical background and rose through the ranks to a leadership position. That made sense as the precursors to cybersecurity, information and systems security, were seen as a tactical effort to secure systems and data. However, with the event of rich digital connectivity across almost every business system and process, the importance has risen to an executive role, with accompanying expectations.

Technical expertise is not as applicable when it comes to strategic business decisions and leadership. The results can be turbulence when it comes to the C-suite, specifically the CEO, and the Board’s involvement in navigating organizational success. Business leaders realize that cybersecurity is important and now part of their direct responsibility to address, but often struggle to understand how to integrate those challenges with other business priorities and broader decision-making.

The Transformational CISO: A Business Leader First

CEOs and Boards need a trusted cybersecurity partner who can translate complex risks into business terms and help them make the best decisions by guiding investments and strategies to support overarching corporate goals. They rely on key individuals to lead teams in their respective areas, and to pursue goals set by the senior leadership - including the CISO. Transformational CISOs bridge the gap between cyber risk expertise and executive decision-making. In order to be successful, it requires strong relationships and effective communication to convey cyber risks and opportunities for consideration in larger decisions, responsibilities, and corporate strategies.

Business leaders are no strangers to managing risk—financial, competitive, regulatory, and operational risks are all part of their dominion. However, cybersecurity introduces unique challenges that require an adept communicator who can contextualize risks within the broader business landscape.

Transformational CISOs possess deep domain knowledge but elevate their focus to strategic risk management. They operate in close collaboration with all the C-suite executives and proactively work to understand the lines of business to maximize the security posture while minimizing the undesired friction, that accompanies cybersecurity controls, ensuring security measures align with corporate objectives rather than acting as barriers. They support the initiatives of their C-suite peers and are seen as a welcomed partner in addressing ambiguous cybersecurity risks.

Transformational CISOs often report directly to the CEO or a top executive, moving beyond IT silos to influence enterprise-wide strategy. They build adaptive security organizations that respond effectively to evolving risks while maintaining alignment with shifting business goals.
These CISOs are adept at communicating with all levels, including CEOs and Boards, by masterfully translating complex data and situations into business terms and recommended actions. C-suites and Boards are not inherently cybersecurity experts, nor should they be, and attuned CISOs aren’t trying to transform them into cybersecurity specialists. Instead, they understand their role is to be the trusted professional who can communicate cyber risks and opportunities in familiar business terms that actively support the overall business goals. This enables leadership to make informed decisions, balancing cybersecurity investments with other strategic priorities. In return, the CISO receives clear guidance and necessary support to achieve their specific objectives.

Traditional vs. Transformational CISO: Key Differences

The Transformation Journey

This metamorphization has proven to be a challenge. The industry continues to struggle with forming highly proficient working relations between CISOs and the CEOs/Boards. It has often been an incredibly personal work-in-progress for CISOs to make this journey. During which, new skills must be learned and applied by the cybersecurity professional. The CEOs and Boards are also working on understanding how cybersecurity intersects with the success of their organization and how best to oversee it.

It is a chasm that must be crossed. Traditional CISOs frequently believe that CEOs and Boards should become experts in their all-important field. Yet that sentiment is not shared by the business leaders, who operate in a different manner across many such domains. Boards often expect CISOs to magically grow the skills to understand and present cyber risks in ways familiar to them and how they manage, which is an unrealistic near-term expectation.

The expectations for cybersecurity are not expected to shrink. It is already a Board level topic and no static or one-time solution can be purchased to ‘solve’ cybersecurity. The need to manage cybersecurity risks is here to stay and will be indelibly integrated into the scope of CEO and Board oversight. There are no easy solutions. The differences that exist in organizations lead to unique adaptations that are not scalable, durable over time, or persistent with personnel change. The pressure is forcing collaboration, with the hopes it will improve over time.

What is certain, is that both sides must adapt to effectively bridge this chasm in a sustainable way.

Frameworks are needed as a foundation to build strong relationships, deftly communicate cyber risks in business terms, and forge strategies that empower CEOs and Boards to make well-informed decisions to balance the value of cybersecurity investments with other imperative business objectives.

To thrive in this new era, the CISO and CEO/Board collaboration must embrace transformation. This will be the difficult journey that CISOs, CEOs, and Boards must successfully traverse together in the next few years. In today’s digital landscape, CISOs will need to transform into business superheroes to collaborate with executive leadership to set cyber risk oversight as a cornerstone for business growth and resilience!