What’s next for the CISO role?

As executive vice president and CISO, Jerry Geisler is a top executive at Walmart.

That level, along with continued investment in cybersecurity, reflects his company’s commitment to “becoming a cyber-secure company,” he says.

In addition, it highlights the continuity of the CISO role.

“In the past, security was often an afterthought in the digital environment. However, by 2024, organizations are prioritizing building secure applications, systems, and services. Walmart stands out as a trailblazer in this regard, as the company has long emphasized infosec. “Elevating the role of CISO to the level of executive vice president at Walmart shows an extraordinary evolution globally,” Geisler said.

He adds: “This good practice highlights the growing importance of CISOs in shaping business-level decisions in various sectors.”

Geisler, one of 10 CSO Hall of Fame inductees this year, is not alone in his observations. Others in the 2024 Hall of Fame class also see the role of the CISO continuing to shift from its traditional technical roots to becoming a chief strategic officer. With that, they see an increase in the number of jobs offered by security managers.

“When I started my career, cyber was included in IT, and IT was still considered an office job. Cyber ​​​​was thought of as insurance, but it has evolved into a front office function that is now differentiating and helping to grow the business,” said Teresa Zielinski, vice president and global CISO of GE Vernova. “Today, the role of the CISO is evolving significantly. Now we’re seeing it evolve into a bigger part of strategic management, where it’s not just about cyber but also about risk and resilience.”

More responsibilities, more accountability

The role of chief security officer has been in flux since the early 1990s, and Zielinski’s career has shown the trajectory of the position.

Like many CISOs, Zielinski began his career in IT, spending 12 years in that area. In 2009 he was drawn to cybersecurity, when he was asked to lead a team tasked with responding to an incident.

Zielinski understood right away that cybersecurity was not only about preventing bad things from happening but also about enabling business goals.

He realized that cybersecurity cuts across all functions and he knew the processes and technologies that drive business, allowing security leaders to see the big picture; that security was well aware of the many risks, regulations, and requirements facing the organization; and, through its work with IT in the security of the product, connected with customers and influenced their experience and sense of trust in the organization.

“Cyber ​​has to move the needle on every single operation to close the gaps and make the processes work as they should,” he says. “In security, you have to understand what customers need, what regulations you have to meet, and you have to use that understanding to influence your senior colleagues. As I saw that, that’s when I knew that the role was big, that it wasn’t to have cyber insurance but to be diligent for the business to work.”

He cites as evidence the adoption of the “security first concept” among many organizations, where security is built into digital products from the beginning and as a given – a way that security, for example, is not an afterthought in production. of cars but part and parcel of it.

“No one would buy a car without safety equipment. That should be the same with digital products, especially with AI and AI services that generate,” he said.

In addition, Zielinski sees more CISOs taking on even broader responsibilities in the future and moving into the highest levels of business leadership as he does.

Specifically, he sees cybersecurity operations intertwine with risk and resilience responsibilities. It makes sense, he adds, since cybersecurity and risk and resilience are about identifying and closing gaps so that an organization can not only survive an incident but thrive. in spite of all risks.

“The CISO and the chief risk officer will work very closely together or become a single role that not only leads on cyber but also on risk and resilience,” added Zielinski.

Canadian National Railway CISO Vaughn Hazen says he, too, sees the role taking on more responsibility for risk than in the past.

“It has become a really dangerous role; it’s about managing risk,” he said, adding that the growing number of security regulations is creating pressure for CISOs to take on other aspects of compliance, too.

He points out that CISOs today are often responsible for data privacy, and he sees more CISOs handling third-party risk and supply chain risk — a trend he doesn’t expect to continue.

Such approaches increase both the pressure on CISOs and the level of accountability they take on, he adds.

“You have to know what your exposure is, so you have to understand the business and the potential business impacts of those risks. You must understand how the policies, procedures, and technologies you put in place impact risk and the organization as a whole. And you have to be able to defend your decisions,” Hazen said. “You have to develop a mindset: ‘If I had to defend my position in court, would I feel comfortable with the decisions I made?’ and answer yes.”

The rise of the chief cyber and risk officer

Gary Hayslip, CISO of Softbank Investment Advisers, sees a similar trend for the future.

“I see the role now as using technology, people, and a risk management process,” he said, calling these steps part of the maturing of a larger security position.

That, in turn, is reshaping CISO jobs and changing the nature of the position in many organizations, he says.

He knows of CISO positions that oversee governance, risk, and compliance (GRC), some with risk and network infrastructure, and others with risk and IT. He expects that future titles will reflect that integration, with the CISO becoming the chief cyber and risk officer or the chief cyber and privacy officer (changes that are already occurring in limited numbers).

“That combination will be the norm,” Hayslip added.

Susan Koski, vice president and CISO of PNC Bank, similarly sees CISOs doing more.

“CISOs have a broad portfolio and should go from technology to legal, marketing, communications, communications, relationship management, and finance,” he said. “This leads to many CISOs being asked to take on a wider role, some even becoming chief information officers. There is also a natural progression involving physical security and fraud within the role as well as the integration of certain other functions into the overall delivery. The position will continue to evolve, especially around identity – with the need to properly and continuously authenticate customers and employees and reduce reliance on fraudulent authentication. “

However, all of this does not replace or even surpass the need for CISOs to be technically astute and well-versed in cybersecurity’s long-term foundations and evolving best practices, according to the 2024 Hall of Famers.

“Cyber ​​is still cyber. You still have basic cyber hygiene to do,” Hayslip said.

Natural drivers

Many factors have driven the evolution of the CISO role thus far and will continue to do so in the future. But one big driver is the advent of everything digital, which happened in the last twenty years or so.

“With the nature of business today, security is closely linked to performance, and if you don’t get security right, the impact on the business is more important now. [than in the past],” Hayslip said.

Looking to the future, Geisler believes the changing technology landscape will continue to drive the CISO revolution.

“In an ever-changing technology landscape, the role of the CISO is still vital to businesses, anticipating ongoing change. As operational leaders, CISOs navigate the evolution from automation to gen AI, following where technology leads,” he said. “While AI dominates current discussions, the future of quantum computing looks great. In five to seven years, quantum computing is poised to rival the brilliance of current-gen AI. The sheer volume of data, processing requirements, and speed will be priorities for many CISOs.”

Other inductees cited AI and quantum computing as shaping the work CISOs will need to do in the coming years, driving the integration of security into business processes and products.

The inductees also say that the ever-growing list of security-related laws and basic security requirements — such as data privacy laws and standards — will similarly expand the CISO’s duties and elevate the role’s importance and prominence.

They believe, too, that the increasing personal and professional liability that CISOs face for any security failure is driving changes in the CISO role.

That debt is giving security chiefs a regular seat at the executive table, a place in board meetings, and corporate directors and officers (D&O) insurance coverage — and more CISOs will get those things in the years to come.

CISOs are increasingly getting a greater voice and more authority to approve security measures.

That, Hayslip said, will get more and more leaders in the CISO position “treated like the management role it should be.”