The CISO Evolution – From IT Operations to Earning a Seat at the Table

April 7, 2017 - 5 Comments

With the escalation of cybercrime, the role of Chief Information Security Officer (CISO) is fast evolving beyond its traditional operational functions of monitoring, repelling and responding to cyber threats.  Continuous changes in our connected business landscape make customer data, intellectual property and brand properties new targets for information theft, which can directly impact business performance and shareholder value. In response, CISOs are progressing to a stronger leadership role, with an imperative to move beyond the confines of reaction and enforcement.

As I looked to this list of influential security officers across a broad spectrum of industries, I realized we are all tasked with an evolving and challenging assignment to secure the integrity of our businesses and customers – integrate fully within the organization, strategically approach information risk management and lead the transition toward a culture of shared cybersecurity ownership across the enterprise.

The losses stemming from modern cybercrime are not limited to high profile attacks. While 2016 brought sensational headlines of a half billion records stolen from a leading online search portal (and a subsequent massive devaluation), catastrophic hacks to a major political party and serious attacks on other corporate giants, small-to-midsized businesses were just as vulnerable.

Many organizations can quantify the revenue losses they experience due to public breaches. 29 percent of security professionals responding to our 2017 Annual Cybersecurity Survey said their organizations experienced a loss of revenue as a result of cyberattacks. Of that group, 38 percent said that revenue loss was 20 percent or higher. There is also an impact on customer attrition. 22 percent of responding organizations said they lost customers as a result of attacks. Of those, 39 percent said they lost 20 percent of their customers or more. These are very high stakes.

Such dramatic consequences are possible because of the significant maturation of cybercrime. The situation has quickly advanced from unrefined “old school” hackers to “new school” professional cybercriminals linked to multi-billion dollar businesses with targeted ROI and sophisticated supply chains. It’s a new form of organized crime, against which securing a business is not keeping pace. The lack of security not only increases risk of harm to existing operations; it can also hinder innovation and the progress of mission-critical initiatives.

Therein rests the CISO’s challenge and opportunity. Much like how the Chief Information Officer’s (CIO) role went through a decade of change, from running infrastructure operations to becoming a business enabler and senior leadership peer, the role of the CISO is following a similar journey. The Guardian and Technologist is giving way to the Business Strategist, the Business Enabler and the Trusted Advisor, who articulates risk, reviews metrics and reports regularly to the board. The importance of this shift is evidenced by increasing changes in CISO reporting structure, with 35 percent reporting directly to the CEO or President[1].  Also, the rate at which Boards are formally updated on cybersecurity risks has increased by ~20% in 2017 over 2015[2].

This greater business engagement requires CISOs to realign priorities and perhaps build some new skills. It’s a compelling moment of opportunity and responsibility for a profession that is emerging from the backroom of IT to a much needed seat at the boardroom table.

[1] Source: Forrester, 2015

[2] Source: Forrester, 2015

In an effort to keep conversations fresh, Cisco Blogs closes comments after 60 days. Please visit the Cisco Blogs hub page for the latest content.


  1. Great article Steve on the constantly-changing, ever-evolving role of the security leader. As you rightly point out, the responsibilities and reporting structure of security leaders is in transition. As I point out in my LinkedIn article at, IDC predicts that “by 2018, fully 75% of chief security officers (CSO) and chief information security officers (CISOs) will report directly to the CEO, rather than the CIO”. Boards and the Executive Leadership Team are increasingly requiring regular updates on cybersecurity risk posture and this has to be a good thing given the seriousness of the evolving threats that organizations face today.

  2. The CISO role is going through a period of transition. The number of security breaches that have occurred over the last year is unprecedented and demonstrates a need for stronger security… CISO responsibility is changing, in dynamic threat environment…greater business engagement requires CISOs to realign priorities and perhaps build some new skills including Next Gen Sec Ops, Cloud Security, IoT (security), Artificial Intelligence (AI) security etc…. It’s a exciting moment of opportunity and responsibility for CISO profession that is emerging from the backroom of IT to a much needed seat at the boardroom table…

    • Yes those are good examples of the technology transitions we must adapt our teams to and connect them to the business priorities and risks.

  3. An interesting reworking of the role of the CISO and ROI for cyber criminals. I wonder what their punishment would be if they fail to meet targets.

    • Unfortunately, the punishment for most cyber criminals failures is they get to try again – and again – and again. As the saying goes, they only have to be right once 🙁