The CISO as a strategic leader
Historically, the CISO might have been seen primarily as a technical expert, deep in the weeds of firewalls and patch management. Today, the expectation has changed dramatically. Jon France, CISO at (ISC)² defines the role of the CISO as ‘a trusted leader who protects the organisation from threats to its information and operation through collaborative risk management. As part of the wider leadership team, they must also enable the business to take appropriate risks and embrace new opportunities.’
In today’s environment, CISOs must indeed effectively communicate with and influence organisational leadership, including the board of directors and the C-suite. Jon France emphasises that the CISO’s role is centred around communication, particularly storytelling and narrative development. This is crucial for translating technical jargon into business-relevant terms that resonate with non-technical stakeholders.
The board of directors plays a vital role in providing strategic direction and ensuring governance and oversight. CISOs must understand the board’s priorities and tailor their communication to address their concerns. A recent survey indicates that 70% of respondents believe cybersecurity is a beneficial topic for director development, training, and education. This highlights the CISO’s responsibility to educate board members on cybersecurity risks and best practices. And yet, another study highlights that most S&P 500 companies do not have cybersecurity professionals on their boards. This gap underscores the need for CISOs to bridge the communication divide and ensure that cybersecurity is a key consideration at the highest levels of the organisation.
Addressing challenges in the regulatory and technological landscape
CISOs operate in a complex and rapidly evolving regulatory landscape. They must stay abreast of various regulations, laws, and acts, including NIS2, the Cyber Resilience Act, the EU Cyber Solidarity Act, the Cybersecurity Act, and DORA. Many of these regulations, particularly in the EU, are principle-based to ensure they remain relevant despite technological advancements. This requires CISOs to possess an understanding of both technology and reporting and legal requirements, making them a matter that boards are involved in.
CISOs today are faced with a complex and rapidly evolving technological landscape as well. This can be visualised along two key axes: the depth of technology penetration—ranging from light to deep integration—and the spectrum from legacy to emerging technologies. On one end, CISOs face the challenge of securing legacy systems that were never designed with modern cybersecurity in mind; on the other, they must evaluate and manage the risks introduced by cutting-edge innovations such as AI. This balancing act is made even more difficult by an increasingly aggressive and sophisticated threat landscape, and the above-mentioned regulatory environment that is constantly shifting.
The impact of AI on the CISO role
The rise of AI, particularly generative AI (GenAI), is one of the main technological shifts to present both opportunities and challenges for CISOs. Obviously, the widespread adoption of GenAI has significant implications for cybersecurity. Niels Torisaen, Senior Manager Cyber Strategy & Architecture, identifies four key situations where it impacts the CISO function, as well as possible strategies to deal with them.
The first situation presents itself with GenAI offered by third parties. GenAI tools often require access to large amounts of data, which raises concerns about data security and privacy when using third-party solutions. To address this challenge, CISOs must oversee careful review of access privileges, implement data leakage prevention controls, understand data usage for training models, ensure encryption, establish disaster recovery and assess vendor risk.
The widespread use of GenAI tools by end-users, often covertly, poses another challenge for the CISO, related to data security and compliance. Strategies to address this involves, among others, deploying data protection measures (DLP) and refining usage guidelines, while clearly identifying approved AI tools. Furthermore, CISOs should foster open communication and promote responsible AI practices across the organisation to ensure secure and effective integration.
A third case where AI impacts the CISO is when their organisations develop or embed GenAI tools into their own products, going beyond traditional functional requirements and the Confidentiality – Integrity – Availability (CIA) triad. The CISO is to ensure that AI security expertise is built within the team. This includes adopting risk management frameworks and updating the Software Development Life Cycle (SDLC) process with AI threat modelling and OWASPAI, as well as compliance with regulations like the AI Act. CISOs should also champion transparent communication by demonstrating AI security measures in action. They should collaborate with legal, compliance, and ethics teams to ensure AI systems are developed securely and responsibly.
Finally, security teams are increasingly using AI tools for their own operations, which combines the challenges of the previous three situations. While setting strict policies might seem like a solution, employees who experience the benefits of AI in their personal lives will likely seek similar tools at work. Therefore, it is essential that security professionals understand both the strengths and weaknesses of AI models. To navigate this effectively, CISOs need to prioritise training their teams on how to use AI tools safely and efficiently.
At the crossroads of innovation and risk
The role of the CISO has evolved into a critical strategic leadership position. No longer solely focused on technical defences, today’s CISOs must be effective communicators and adaptable leaders who engage with the board, translate risk into business terms, and manage an increasingly complex regulatory and technological landscape—especially with the rise of AI. Success now requires cross-functional collaboration, enabling secure innovation while ensuring resilience. By embracing this broader role, CISOs can drive secure growth and position themselves at the forefront of using AI responsibly, ultimately becoming key enablers of business transformation in an ever-changing digital world.
On the picture: Niels Torisaen (NVISO)
