Business resilience and the role of the CISO

Randy Barr at Cequence Security asks whether the CISO is becoming an architect of business resilience

 

The CISO’s role has morphed beyond recognition, with Gartner predicting 45% will see their remit move beyond cyber-security by 2027. They’re now responsible for overseeing the security program, managing third-party risk and ensuring compliance, in addition to breach prevention; this is thanks to several drivers, from regulatory pressure to rapidly evolving threats and new technologies.

 

But is it a role that can continue in its current form, or will it splinter or even evolve into something else entirely?

 

The State of the CISO 2025 report claims CISOs now broadly fall into three categories. Strategic CISOs are predominantly active at C-suite and board level, aligning cyber-security with business goals; they  make up 28% of the profession. Functional CISOs, who have influence at either the C-suite or the board level, show that it’s still hard to gain a seat at both tables; they represent 50% of the workforce. Tactical CISOs, who have limited access to senior leadership and infrequent engagement with the board and who are technical practitioners, are now in the minority at 22%. 

 

It’s a fascinating snapshot that shows how the role has changed: the majority now undertake strategic leadership roles with less emphasis on their technological prowess. The fight to be heard at board level has paid off, with cyber-security now firmly on the agenda. CISOs have become fluent in the language of the boardroom. They seek to build trusted relationships at board and executive level to ensure security strategies are aligned with the broader business, acting as both strategic adviser and collaborator.

 

But it’s a battle that has been hard won, with many feeling overstretched. It speaks volumes that 77% of CISOs wonder if the next data breach will cost them their jobs, for instance, due to an increased focus on accountability by regulatory authorities.

 

Under pressure

Recent developments include the SEC tightening disclosure-reporting requirements. Any breach must make clear the board of directors’ oversight of risks from cyber-security threats and management’s role and expertise in assessing and managing material risks from cyber-security threats.

 

Closer to home, the EU’s NIS2 regulations which apply to essential and important entities can see C-level executives at the former temporarily suspended in the event of a breach. Just how closely the UK’s equivalent, the Cyber Security and Resilience Bill, will follow those requirements remains to be seen when it goes through parliament this year.

 

At the same time, it’s becoming more difficult to detect threats: 44% of CISOs say they are unable to do so using their existing security tools. This is not just due to a lack of capability; it’s also because of the operational and financial hurdles related to evaluating, replacing and transitioning between security solutions. Furthermore, bad actors can pivot rapidly, and we’re witnessing a growing complexity in threat detection as threats become increasingly sophisticated.

 

Attackers are increasingly favouring evasive tactics that involve a low and slow approach, for instance, which many detection tools and signature-based solutions struggle to identify. The API landscape now makes up the majority of web traffic. Many businesses are still using IP-based solutions such as Web Application Firewalls (WAFs) and API Gateways. Using behavioural analysis instead would allow them to observe the signs of an attack and predict intent, which would allow defenders to track the attack as it pivots.

 

The growing financial implications of this elevated risk are also prompting the CISO to take on a more fiscal role. They’re having to balance risks and use data-driven decision-making to justify investment. It’s no longer sufficient to show how an investment can ensure business continuity; now there is a requirement for precise metrics on how it would reduce impacts by minimising downtime as well as how it would minimise breach costs. 

 

In addition, they’re also having to get quickly up to speed on emerging technologies such as generative AI (GenAI). Gartner predicts that more than 80% of enterprises will have used GenAI APIs and models by next year; without sufficient guardrails in place, this poses a significant risk to the confidentiality, integrity and availability (CIA) of data within the business.

 

On a positive note, the ISC2 industry group predicts the technology should also help augment CISOs, by taking on technical and routine tasks such as source code security checks, compliance automation and threat detection. This should allow the CISO to focus on strategy, leadership and decision-making.

 

How the role might change

These factors have led some to predict the role of CISO will split into two, with the first focused on strategy and compliance i.e. GRC, and the second on security controls and cyber-hygiene. This would, however, make it much harder to achieve the oversight that many CISOs say is now making their jobs easier.

 

Others expect the CISO role to give rise to new C-suite roles such as that of Chief AI Officer (CAIO). But again, this risks increased fragmentation. The C-suite has already doubled in size over recent years, and this can impact the decision-making process, making it much more unwieldy and likely to result in missed opportunities.

 

What all signs are pointing to, however, is an increased emphasis on building cyber-resilience, which has been the principal focus on the regulatory front. Cyber-resilience has entered the business lexicon and is synonymous with an increased focus on proactive/bolstered defence. This trend could well see the CISO’s role evolve to become that of a Business Resilience Architect: this would see them take a wider role across the company that draws upon their current skills in leadership and finance.

 

With the benefit of more oversight, due in part to the liberating effects of GenAI, the CISO could design and refine the security architecture to promote resilience. This would enable security to support the business in coping with the shocks and disruptions associated with attacks. Security controls would be embedded into every corner of the business, fostering a culture of resilience that strengthens defences while supporting growth.  

 

It’s a role that bears comparison to that of the Enterprise Architect (EA) who harnesses both technology and business strategy to fulfil business transformation and optimisation goals from an IT perspective. The EA bridges the divide between IT and senior management; they oversee the technical architecture and its roadmap, planning for and integrating emerging technologies that confer operational advantage. In a similar way, the CISO could take an overarching approach. That said, we could equally see enterprise architecture and security combined under the CISO.

 

The jury is still out on whether the CISO will undergo a dramatic transformation. It’s a role that will need to balance the dual demands of defending against sophisticated adversaries and leading resilience strategies. It will undoubtedly benefit from GenAI once the technology is safely bedded in. But will it fracture or evolve? That remains to be seen.

 

What is clear is that many in the role feel the pressures currently associated with the job are too high. CISO is often said to stand for Chief Incident Scapegoat Officer - only half in jest. And that means something has to give.

 

---

Randy Barr is CISO at Cequence Security

 

Main image courtesy of iStockPhoto.com and HAKINMHAN