The role of the Chief Information Security Officer (CISO) has evolved dramatically as cyber threats become more sophisticated and persistent. Once guardians of firewalls and antivirus updates, CISOs were seen as technical troubleshooters, not strategic power players – buried in basements rather than briefing the board. But cyber threats didn’t stay in the server room.
The last two decades have seen a sea change in the threat landscape. Ransomware attacks are in the headlines almost daily, hitting targets across all industries. No organisation is safe – everything from hospitals to critical national infrastructure, major tech companies and retailers have been impacted by ransomware.
With most organisations relying on an ever-growing list of third-party software solutions, supply chain attacks have also boomed in popularity. Many of the most infamous cyberattacks of all time – SolarWinds, NotPetya, Stuxnet – have occurred due to a vulnerability in the software supply chain.
The CISO’s environment has also grown increasingly complex. Perimeter-less cloud deployments, AI and a plethora of new cybersecurity tools have made the job infinitely more nuanced.
Nation-states have also started to use cybercrime as a tool to attack each other without putting a single boot on the ground. Warfare has moved from a purely kinetic form to become more all-encompassing, with well-funded teams of cybercriminals able to cause damage from thousands of miles away.
Amid these changes, cybersecurity has vaulted from IT checklist to existential business risk. CISOs have stepped into the spotlight – not just as defenders of data, but as architects of business resilience. What was once an almost purely technical career has changed. They’re now expected to have cross-disciplinary knowledge, and translate complex risks into clear strategy, guiding executive decisions and shaping how organisations respond to uncertainty.
Our last State of the Security Profession report reflects this shift. Communication skills (30%) now rank above technical or subject matter expertise (15%), a complete reversal from just four years ago. The modern CISO is increasingly a translator responsible for turning threat intelligence into boardroom insight, and ensuring cyber risk is understood not as a technical detail, but as a core business issue.
But with greater influence comes greater scrutiny. According to research, 70% of cybersecurity leaders say the risk of personal liability is reshaping how they see their roles. These concerns are more than theoretical. In 2023, the US Securities and Exchange Commission charged SolarWinds and its CISO, Timothy Brown, with fraud and control failures following their high-profile breach. Though Brown was ultimately acquitted, the case sent a clear signal that CISOs are now firmly in the regulatory crosshairs.
It’s no longer enough to react when things go wrong. CISOs are being judged on their foresight, their governance and whether they put the right controls in place before the storm hits. In this pressure-cooker environment, the job demands more than technical expertise. Today’s CISO must lead with emotional intelligence, communicate at board level and foster a culture of resilience across the organisation.
As the demands on CISOs grow, and the conversations around liability continue, professional bodies like CIISec are vital in shaping the future of cyber leadership. Through rigorous capability frameworks and continuous professional development, CIISec empowers CISOs to lead with clarity, confidence and integrity. And in a landscape defined by rapid change and rising accountability, credentials matter.
