Changing Role of the CISO: A Holistic Approach Drives the Future

The CISO's role has grown far beyond supervising Patch Tuesday to focus on prevention and response and to cover people, processes, and technology.

Graeme Payne, Senior Director of Strategy, Risk, and Compliance & Identity Protection, Kudelski Security

September 20, 2023

4 Min Read
The word "CISO" on a digital background
Source: Borka Kiss via Alamy Stock Photo

In the modern enterprise, the responsibility for security culture, technology, and posture is the purview of the chief information security officer (CISO).

This role isn't an easy one. While senior business leaders and boards of directors understand that cybersecurity is a critical risk, they face challenges in determining how it compares to other factors such as credit, liquidity, and market risk. It's no longer enough to identify risk; now security leaders must be armed with information that allows them to justify investments, work hours, and importantly — budget.

Let's examine the various ways CISOs can support themselves to better deal with these priorities, including why I believe a more holistic approach to evaluation and prevention is the path forward.

The Threats

It's been six years since the infamous Equifax leak. I was present for this incident, and in many ways, it was an inciting moment for the shift to the cybersecurity attitudes of the current era. Equifax showed that everyone is a target, and further, that all companies must more intensively examine how we store, access, and protect information — as well as the robustness of the systems that allow us to do so.

The good news is that industrywide, threat awareness has never been higher, but on the flip side, criminals and nation-state actors are more motivated than ever. Today, we're seeing threats that far outstrip the schemes of the past in scale and effectiveness. Criminals have flocked wholesale to ransomware, business email compromise (BEC), and extortion tactics, while nation-state actors are focused on critical infrastructure and IP theft.

Further, the advent of artificial intelligence has led to criminals having a wide range of tools at their disposal, often deploying these against understaffed organizations whose IT teams serve a variety of essential, often-siloed roles. Simply put, the CISO has more to contend with than ever, which is why the role must encompass so many aspects in our high-stakes security climate.

Prevention & Response

In so many cases, I see CISOs attempting to set up defenses by simply throwing technology at the problem — deploying solutions without setting up the necessary infrastructure or training to support their staff. Instead, I'd advocate for a more holistic approach, one that covers people, processes, and technology, while focusing on a culture of prevention and response.

For prevention, people must be trained to recognize phishing and other social engineering schemes, forming a baseline defense against ongoing threats. Similarly, the CISO must form a collaborative relationship with IT teams, whose daily work is so important for both patching and other process-oriented work. Another key aspect of prevention is ensuring there is visibility of what is happening across the company. Technology can help provide this visibility, but people are needed to follow up on potential red flags as well as search for potential threats.

In responding to threats, it's imperative that CISOs have a clearly defined plan, one that is exercised frequently and includes the most likely threat actors and scenarios. This should include not only everyday workers, but top-line executives and, occasionally, board members to ensure crisis communications readiness. Additionally, today's cyber-insurance plans often include breach coaches to help design and implement protocols, a valuable asset to consider when setting up response plans.

Security Leadership

With the security function — and the responsibility of CISOs — expanding and evolving, several new capabilities have emerged as pivotal to support the above priorities, including:

  • Risk management facilitation focused on identifying and communicating key security risks in business terms and advising business leaders and boards on cyber-risk.

  • Protection services, such as physical security, noncyber incidents, workplace violence, BCM (Business Continuity Management), and crisis management.

  • Operational security focused on protecting critical infrastructure such as plants, machinery, and industrial control systems.

  • Data protection and privacy including compliance with regulations such as GDPR and CCPA.

  • Cyber resilience, including functions such as threat and vulnerability management, response and recovery, continuity planning, continuity of DevOps, and application security.

  • Transversal auditing to ensure security remains represented and understood throughout the organization.

  • External client management demonstrating the company's investment in data protection and security to help win and retain customers.

To better facilitate the security program across the business, many CISOs are implementing the business information security officer, or BISO, role. The BISO, also called a business liaison, is the regional security ambassador — the go-to person for security within each business line or region. They ensure security policy is followed by regions and business lines and educate the organization on cyber-risk and accountability. The BISO also weighs security protocol against user experience and against new business initiatives, ensuring security remains a business enabler.


The No. 1 job of a CISO is to build relationships and have partnerships with peers. Investment in training to develop and nurture these skills must be prioritized. Business continuity and operational success in challenging times will depend on it. On a more fundamental level, security cannot be left as the sole responsibility of the CISO. The role is changing with the rapid evolution of technology, business, and the threat landscape, and security has become intrinsic to every aspect of the company's security and operations.

About the Author(s)

Graeme Payne

Senior Director of Strategy, Risk, and Compliance & Identity Protection, Kudelski Security

Graeme Payne is the senior director of strategy, risk, and compliance and identity protection at Kudelski Security, helping boards and senior executives understand and manage cybersecurity and IT risks. Graeme has over 30 years of experience in consulting and IT management in financial services, insurance, healthcare, retail, manufacturing, and utility industries. He has worked for many leading cybersecurity firms, including Ernst & Young, Wipro, and Equifax. His experience at Equifax during the notorious 2017 Data Breach provided insight for his book, The New Era of Cybersecurity Breaches.

Keep up with the latest cybersecurity threats, newly discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

You May Also Like

More Insights