How is the role of the CISO evolving?

The role of the Chief Information Security Officer (CISO) has undergone a profound metamorphosis. Once a primarily technical custodian sequestered within IT, the modern CISO is increasingly a strategic business leader, pivotal to organizational resilience, innovation enablement, and stakeholder trust. 

Recent survey data underscores the shift: the proportion of CISOs who report directly to the CEO has almost tripled in just one year, soaring from five percent in 2023 to 14 percent in 2024. Facing increasingly complex digital threats and transformative technologies like Artificial Intelligence (AI), today’s CISO must be a multifaceted expert, a strong communicator, and a visionary architect of enterprise-wide security.

The modern-day CISO: responsibilities, remit, and key alliances

Being a CISO in the current era means shouldering a vast array of responsibilities that extend far beyond the traditional confines of IT protection. Core duties now include strategic risk management, aligning security posture with overarching business objectives, and maintaining a dynamic grasp of the organization’s risk appetite. 

As Gartner’s Nathan Parks cautions: “With only 14 percent of security-and-risk leaders able to secure their data and support business goals, many organizations court vulnerability and inefficiency.” 

Developing and continuously tuning enterprise-wide policies, standards, and controls is, therefore, just the start. Indeed,; the modern CISO must also ensure the organization is ready to detect, respond to, and recover from security events with minimal disruption.

The CISO’s remit is truly enterprise-wide, touching every information asset and process, so success hinges on robust collaboration. Board-level engagement has become the norm: Splunk’s 2025 CISO Report notes that 82 percent of CISOs interact directly with the CEO and 83 percent attend board meetings on a regular basis, prompting author Michael Fanning to observe, “CISOs have officially arrived in the C-suite, and we’re working more closely with our boards than ever before.” 

Beyond the boardroom, a tight partnership with the CIO grounds security strategy in operational reality, while coordination with Legal and Compliance navigates the rising tide of data-protection regulations. Human Resources helps cultivate a security-aware culture and manage insider risk, and — perhaps most critically — business-unit leaders ensure that controls support, rather than stifle, innovation.

Finally, today’s CISO is increasingly expected to spearhead organizational resilience. PwC’s 2025 Global Digital Trust Insights frames the opportunity plainly: “CISOs can lead resilience-building efforts by proactively assessing risks and scenario-planning — translating how strong resilience benefits the business is just as important as the plan itself.” In other words, the modern security chief is no longer a gatekeeper at the edge of IT, but a business architect whose influence — and accountability — extends to every corner of the enterprise.

The evolutionary journey of the CISO

The CISO role, or its early equivalents, began to solidify in the late 1990s and early 2000s, largely in response to the burgeoning reliance on networked IT systems and the initial waves of internet-borne malicious activities. Initially, the focus was heavily technical.

However, several powerful forces have dramatically reshaped and elevated the role, particularly over the last decade. The escalating sophistication of hostile actors, transitioning from opportunistic individuals to well-resourced, often state-affiliated groups, has fundamentally changed the nature of the challenge.

At the same time, widespread digital transformation, such as cloud adoption, IoT, mobile computing, and the sheer volume of data, has expanded the organizational surface vulnerable to security compromises. Additionally, the surge in data privacy regulations like GDPR and CCPA has increased accountability on organizations and their CISOs. 

Public security incidents now involve severe financial penalties, reputational damage, loss of customer trust, and operational paralysis, elevating security to a board-level imperative. Consequently, the CISO role has evolved from technologist to strategic risk executive, often reporting higher and needing broader skills in business, finance, communication, and leadership.

On the horizon: enduring challenges and AI as a strategic ally

The future for CISOs promises no abatement in challenges. Digital perils will keep mutating, which means security leaders must constantly try and stay more than several steps ahead. 

Indeed, the talent crunch shows no sign of easing: the 2024 ISC² Cybersecurity Workforce Study puts today’s global workforce gap at 4.76 million professionals. Furthermore, more than half (59 %) of organizations say skills shortages have already had a significant impact on their ability to shield themselves against adversaries who can now use AI at scale while internal teams are stretched dangerously thin. 

This all means that the modern CISO must marshal strategy, technology, and cross-functional alliances to keep the enterprise secure today, tomorrow, and beyond. 

A number of technologies, particularly AI, offer a powerful means for CISOs to augment their capabilities and stay ahead. 

AI can be a significant force for good by automating voluminous and repetitive tasks, thus freeing up human analysts for more strategic work. It can enhance detection capabilities by identifying subtle patterns and anomalies indicative of sophisticated hostile actions that might evade traditional tools. 

Furthermore, AI can accelerate response times to security events through automated containment measures. Research from various bodies supports this positive outlook. 

A Microsoft Security survey, for instance, revealed that nearly half of current AI for security users felt good about its ability to make critical security decisions. This growing confidence suggests a shift in perception, where AI is increasingly viewed as an indispensable aid rather than a potential hindrance to an organization’s protective posture.

The path forward: strategic adaptation and leadership

While AI offers immense promise, the rapid emergence of generative AI (GenAI) also introduces a new frontier of specific concerns for CISOs, particularly regarding its secure adoption within the business. 

Data protection and potential leakage are paramount. The ISMG "2024 Generative AI Study" found that 80% of leaders fear sensitive information slipping through the cracks when employees use GenAI tools, especially public models, without proper oversight. CISOs must establish robust governance frameworks to manage data input and output for GenAI systems to prevent inadvertent exposure of proprietary or customer information.

Compliance is another significant hurdle, with evolving regulations like the EU AI Act causing confusion. Indeed, just 38% and 52% of business and cybersecurity leaders, respectively, say they do have a good understanding of AI regulations, according to the ISMG study.

Finally, the rise of emerging GenAI-driven perils requires proactive attention. Hostile actors are already exploring how GenAI can be used to craft more convincing, deceptive email campaigns, generate polymorphic malicious code, or create sophisticated disinformation.

The CISO of today and tomorrow must be adaptable, business-savvy, and technologically astute. Their role involves not only safeguarding the organization but also enabling secure innovation. 

This includes championing the safe, ethical adoption of AI in security and guiding its responsible use across the enterprise. By understanding both the potential and risks of technologies like GenAI, CISOs can strategically leverage them as powerful allies. 

Continuous learning, strategic foresight, and resilient leadership are essential for navigating the digital world securely.