CISOs embrace rise in prominence — with broader business authority

It’s a familiar refrain: As cybersecurity has become a core business priority, it is no longer a siloed operation, and the responsibilities of CISOs have grown, giving them greater prominence within the organization.

According to CSO’s 2024 Security Priorities Study, 72% of security decision-makers say their role has grown to include additional responsibilities over the past year. The top five responsibilities security leaders have taken on are: cybersecurity strategy and policy development; risk management; securing AI-enabled technology; innovation and emerging technologies; and security architecture and technology updates, according to the report.

Further, the report notes that 92% of security leader respondents have greater engagement with board of directors, up from 85% in 2023. Similarly, a recent Deloitte report finds cyber leaders have increased leadership visibility — 41% of respondents said their board addresses cyber-related issues at least once a month, while 30% are meeting weekly.

“The influence of the CISO is growing across an increasingly cyber-savvy C-suite: Almost one-third of respondents noted CISO involvement in strategic conversations about tech investment,” the Deloitte report said. “Half of respondents are very confident in the C-suite and board’s ability to adequately navigate cyber issues.”

The CISO is more central to the business

Larry Jarvis, CISO of Iron Mountain, says his role has expanded significantly in recent years, reflecting the growing complexity of today’s security landscape, and now spans several interconnected areas, including risk management, business resiliency, and compliance. Cybersecurity has moved beyond technical IT concerns to become a core business priority, he says.

“My responsibilities now encompass not only protecting our digital assets but also aligning security strategies with the broader business objectives,’’ Jarvis says. “This shift is driven by the increased sophistication of cyber threats, regulatory demands, and the critical need to protect customer trust in a data-driven world.” Additionally, “The rapid adoption of generative AI also presents new security challenges,” he says.

Iron Mountain

Daniel Schatz, CISO of Qiagen, a provider of molecular testing solutions based in the Netherlands, echoes that. “My role and the tasks I’m involved with expanded over time from what you’d usually consider old-school IT security,’’ he says. “Recently, I’ve been working to find the right setup to build the company’s business continuity program, … set up the organization’s crisis management team, and [also] became responsible for enterprise risk management.”

While Schatz doesn’t believe the security team previously operated in a silo, he says that may have been the perception. Five years ago, security was part of the IT organization and closely integrated into technical processes and projects. But this caused its own limitations, such as the perception that security is “an IT problem.”

[ Related: Security priorities emphasize CISO role on the rise ]

To change that, Schatz says he has worked with company executives to shift the security function out of IT to give it broader exposure to all business areas. While this did not immediately resolve any issues, consequently, “we were then able to more effectively engage across all business functions while still keeping good relations with our IT colleagues,’’ he says. “Adding the role of a business area information security officer (BISO) for our key business areas did help to make this process much easier for both sides.”

Qiagen

Tim Dzierzek, CISO of healthcare staffing company Aya Healthcare, agrees that there used to be the sense that “security is a technical problem, and I feel like you’re always educating executives that security is an all-encompassing process.”

Now, he says the CISO role has undergone a shift from security being a room of security professionals “looking at a lot of things,” to more focused on risk management and trust management across the organization.

“I’m definitely seeing more involvement of security in the business that you haven’t seen in the past, whether it’s data governance and now even AI governance, to really harness artificial intelligence for us and our customers,’’ Dzierzek adds.

[ Related: What’s next for the CISO role? ]

With most companies now considered tech companies, digital transformation involves the CISO as well as the CIO, he says. While ensuring sensitive data remains compliant, the CISO has become a key advisor in how tech is used and enables companies to meet their business goals.

“So it’s a change from a backroom security function to guiding companies in a secure way,’’ Dzierzek says.

Aya Healthcare doesn’t like silos, he adds, and “I find a lot of my role is meeting up with people in the business. … There is a relationship [component] to the CISO role that wasn’t really in place in past companies.”

Aya Healthcare

Wearing many hats — starting with risk

Schatz’s role was originally focused on information security in the wider corporate technology department — something he says was common five or 10 years ago, “and it is probably still the typical setup for many organizations that are just getting serious about the topic.”

But the mix of the rapidly developing cyber threat landscape and increasing external pressure from customers, regulators, and legislative bodies is forcing organizations to take a more holistic view of cyber risks, Schatz says.

“Executives recognize that cyber risk is a systemic risk,” and they are starting to see that “the CISO is well suited to assist with addressing this outside of just the traditional IT,’’ he says. “In my case, this means that my role expanded in several areas over the past few years.”

[ Related: The 10 biggest issues cyber teams and leaders face today ]

Schatz’s list of added responsibilities includes overseeing technical data privacy protection. While Qiagen’s legal counsel retains overall responsibility for privacy regulation compliance, he says, “interpretation and implementation of the technical controls is seen as a CISO responsibility and thus, falls to me.”

In line with the “systemic risk theme,” Schatz was recently asked to build a formal crisis management capability for the organization. “This was driven by the realization that a cyber related scenario is one of the most likely triggers for a crisis in our organizational context, so the overall responsibility was given to me,’’ Schatz says.

Around the same time, the need to establish a company-wide business continuity management (BCM) program became apparent, he adds. “With much of the organization depending on digital assets, it was not unexpected that this could also fall in the scope of the CISO.”

However, Schatz pushed back, saying that instead of simply accepting another responsibility, he has worked with leadership to find the right place for the BCM function that would work best over the long term. “The CISO is now a key partner in the BCM program instead of adding full responsibility on top of the existing load,’’ he says.

[ Related: Chief risk storyteller: How CISOs are developing yet another skill ]

And, taking over the enterprise risk management (ERM) function about 18 months ago “has made it substantially more challenging to balance the responsibilities of the CISO function with the demands of an ERM function.”

But in this case, Schatz was able to add additional resources to support him with the ERM program.

“At the same time, I’ve been relying more on the members of my security team to keep the security program running effectively and efficiently,’’ he says. “I have to strictly prioritize where I put my efforts and focus. Fortunately, there are synergies between the roles, and I have a great team that I know I can rely on.

Operational technology changes the cybersecurity game

Ian Bramson has seen several key shifts during the past seven to eight years he has been focused on the operational technology side of cybersecurity. Bramson, vice president of global industrial cybersecurity at engineering and construction firm Black & Veatch, says there used to be “significant resistance and even denial regarding OT cybersecurity. Clients were either dismissive about the exposure of their OT networks or claimed that they were not targets for adversaries.”

But as OT networks became more interconnected and cyber-physical attacks on critical infrastructure operations became more frequent, Bramson says “perceptions began to change.” His role has evolved from trying to convince clients that there was an issue to addressing their “what do we do now?” questions, he says.

“Senior executives and boards of director from critical infrastructure companies are getting more concerned and often are turning to their CISOs with mandates to ‘make us safe’ and ‘keep operations running,’” Bramson says. “This creates new challenges for these CISOs as the OT environment works very differently than the IT one does.”

Black & Veatch

Issues such as safeguarding legacy systems and high-hazard equipment as well as an emphasis on uptime are key to these environments, he says. “CISOs are starting to have accountability over operational networks and cyber consequences that they often do not understand.”

As safety and uptime become more of a mandate, the pressure on CISOs will continue to grow, Bramson says. “We are already seeing more discussions about building cyber into new constructions and major modification projects,’’ he says. “Companies are realizing that cybersecurity is better built in from the start. This is expanding the CISO role even further across their companies and operations.”

OT has also become a key focus for Iron Mountain’s Jarvis as well, since “integrating physical and digital security is essential in a hybrid environment. Additionally, business continuity planning plays an important role in protecting operations against disruptions, whether from cyberattacks or other threats,’’ he says.

More prominence can be a double-edged sword

There’s no denying that with greater prominence and attention — not to mention constant news stories about high-profile cyberattacks — comes additional stress. Aya Healthcare’s Dzierzek says his background in the US Marine Corps has given him built-in mechanisms to cope.

This includes going for a run, taking 15-minute breaks and walking away, and in evenings doing something other than security, he says. But in the past, Dzierzek acknowledges he has “gone through bouts of being burnt out. … It’s a hard hole to break out of if you don’t have capabilities to step back and breath when security incidents happen.”

[ Related: Dear CEO: It’s time to rethink security leadership and empower your CISO ]

The added responsibilities definitely bring more pressure, especially when resources are tight, adds Qiagen’s Schatz. “Having a strong, reliable team makes a huge difference, but at the end of the day, it’s about prioritizing and focusing on what matters most. It’s not easy to accept that some things won’t get done, and that can add to the stress.”

CISOs, like other business leaders, need to find their own way of getting comfortable with making tough decisions in uncertain situations to balance stress, performance, and mental health, he says.

All in all, Schatz characterizes the additional responsibilities as a mixed blessing. “It clearly is a positive development that executive leaders recognize the added benefits a CISO can bring to the organization and entrust them with additional responsibilities,’’ he says. The upside is CISOs benefit from this by increasing their professional skillset, gaining a deeper understanding of their organizations and the risk universe in which they operate, and can become a more well-rounded leader.

“The other side to this is the obvious increase in pressure on your time to manage the increased responsibility and being outside your comfort zone quite often,’’ he notes. That said, any senior leader is expected to be able to be effective with limited resources and to optimize them within those constraints, Schatz says.

“But it is also important that the organization provides sufficient resources to enable success,’’ he stresses. “As long as this is balanced, I’m up for the challenge.”