{"id":2457,"date":"2025-03-24T06:00:00","date_gmt":"2025-03-24T06:00:00","guid":{"rendered":"https:\/\/cybersecurityinfocus.com\/?p=2457"},"modified":"2025-03-24T06:00:00","modified_gmt":"2025-03-24T06:00:00","slug":"cisos-are-taking-on-ever-more-responsibilities-and-functional-roles-has-it-gone-too-far","status":"publish","type":"post","link":"https:\/\/cybersecurityinfocus.com\/?p=2457","title":{"rendered":"CISOs are taking on ever more responsibilities and functional roles \u2013 has it gone too far?"},"content":{"rendered":"
\n
\n
\n
\n
<\/div>\n

When George Gerchow was CISO at Sumo Logic, his responsibilities incorporated the kind of work typically assigned to a chief information security officer \u2014 no surprise there.<\/p>\n

But Gerchow was also vice president of IT and during his tenure also assumed responsibility for real estate, such as decision-making about office locations and designs. Given the variety of responsibilities that had landed on his plate, he referred to his domain as RISC \u2014 real estate, security, and compliance.<\/p>\n

Gerchow acknowledges that it\u2019s not terribly unusual for a CISO to own the IT function at an organization, but being in charge of corporate real estate is, although he says taking it on made sense at the time.<\/p>\n

Gerchow, who worked at Sumo Logic from 2015 through 2024, acquired responsibility for real estate during the COVID pandemic, a spillover from his security and IT work as the company was making remote work and return-to-office decisions in which security was a major factor. To top it all off, he would later add environmental, social, and governance (ESG) duties to his work portfolio.<\/p>\n

Although the company had removed real estate and ESG from the CISO role by the time Gerchow left, its initial decision to consolidate disparate duties under the CISO exemplifies a trend within the chief security role. Gerchow\u2019s current position does so, too: He is now both interim CISO and head of trust at MongoDB as well as faculty at IANS Research.<\/p>\n

The role of CISO is continuously evolving<\/h2>\n

The CISO role has been evolving<\/a> since its creation in the late 20th century alongside technology and internet-enabled threats, morphing to meet the demands of the moment. But the position hasn\u2019t just matured; in many cases it has expanded, taking on additional domains<\/a>.<\/p>\n

\u201cThe CISO role has expanded significantly over the years as companies realize that information security has a unique picture of what is going on across the organization,\u201d says Doug Kersten, CISO of software company Appfire.<\/p>\n

\u201cTraditionally, CISOs have focused on fundamental security controls and threat mitigation,\u201d he adds. \u201cHowever, today they are increasingly expected to play a central role in maintaining business resilience and compliance. Many CISOs are now responsible for risk management, business continuity, and disaster recovery as well as overseeing regulatory compliance across various jurisdictions.\u201d<\/p>\n

With major paradigm shifts, such as the introduction of AI to the enterprise tech stack across over multiple areas of responsibility, it makes sense to bring in the CISO because of their ability to cross-collaborate, Kersten says. \u201cThis shift reflects the growing realization that cybersecurity is not just an IT issue; it\u2019s a fundamental part of operational and strategic business functions.\u201d<\/p>\n

Embrace the expansion of responsibilities<\/h2>\n

Kersten says his \u201cscope of responsibilities as a CISO has broadened to include areas like compliance and governance, vendor risk management, and contributing to overall business continuity planning\u201d as well as the \u201ccritical new element of\u2026 understanding and addressing the implications of AI technologies.\u201d<\/p>\n

Security executives say this expansion of duties further elevates the CISO\u2019s standing within the organization \u2014 a welcome development for a position that hasn\u2019t always had equal standing within the C-suite.<\/p>\n

\u201cCISOs understand that they are being tasked with safeguarding the risks to their organization. Whether that means real estate or business continuity, we understand we need to own the risk and the security in order to successfully adhere and achieve the organization\u2019s objectives,\u201d says Jimmy Sanders, president of ISSA International, an association for cybersecurity professionals.<\/p>\n

\u201cCISOs should embrace the expansion of responsibilities,\u201d he adds. \u201cFor years CISOs have tried to ensure that they have a seat at the executive table in terms of being in the executive decision-making group. The expansion of responsibilities is part of the toll to be expected to ensure CISOs are in the room when crucial decisions are made.\u201d<\/p>\n

Research is tracking the trend<\/h2>\n

IANS Research and Artico Search analyzed data collected from more than 830 security leaders for its 2025 State of the CISO Report<\/a> and found that CISOs are taking on business risk, IT oversight, and digital transformation while retaining traditional infosec domains such as operations, architecture and engineering, digital risk, and compliance.<\/p>\n

It also found that a majority of CISOs now have more business risk functions such as business continuity, third-party risk management and product security. And it calculated that 25% to 50% also have functions such as physical security, privacy, and fraud protection in addition to enterprise risk management.<\/p>\n

Additionally, research showed that an emerging share (fewer than 25%) is broadening its scope to include artificial intelligence, mergers and acquisitions security, data governance, comprehensive IT oversight, and digital transformation and innovation.<\/p>\n

\u201cWe\u2019re seeing a convergence of roles under head of security because of the background and problem-solving skills of these people. They have become problem-solver in chief,\u201d says Steve Martano, IANS Research faculty and executive cyber recruiter at Artico Search. That, though, comes with challenges.<\/p>\n

\u201cCISOs are already experiencing high levels of stress, with recent data<\/a> highlighting that nearly one in four CISOs are considering leaving the profession due to stress,\u201d Kersten says. \u201cMany CISOs only stay in the role for two to three years. With this, the expectations placed on CISOs are undeniably growing, and organizations risk overburdening them without sufficient resources and support. The increasing volume and complexity of global regulatory requirements, for instance, have created substantial challenges for security teams that ultimately fall to the CISO.\u201d<\/p>\n

A seismic shift in responsibilities<\/h2>\n

The list of CISO responsibilities has been growing for at least a decade, observers say.<\/p>\n

Martano says some CISOs started to see IT come under their purview (after a long history of CISOs reporting to CIOs) with the rise of cloud computing with its embedded security. It\u2019s not particularly uncommon, he says, to see a combined CIO and CISO role \u2014 particularly in small-to-midsize businesses.<\/p>\n

CISOs then started taking on more business risk and, in some cases, the related areas of governance and compliance, he says.<\/p>\n

Sherron Burgess, senior vice president and CISO at BCD Travel, sees CISOs adding data privacy and trust to their workload, too, sometimes adopting the trust officer title to reflect those duties. Burgess says some of her work goes beyond conventional cybersecurity tasks, encompassing elements of regulatory compliance, third-party risk management, and physical security.<\/p>\n

\u201cIt\u2019s taking my skill set and applying it in new ways,\u201d says Burgess, who also serves as board chair for Cyversity, a nonprofit promoting diversity in the cybersecurity field.<\/p>\n

Case in point: She must determine how to most securely deliver documents for clients in sensitive geographic locales, determining whether delivery of documents via motorbike courier is more secure than digital delivery.<\/p>\n

Likewise, Richard Watson, global and Asia-Pacific cybersecurity consulting leader at professional services firm EY, says some CISOs also now own resilience, third-party risk management, and risk management assurance. Some have physical security, too, requiring oversight of equipment from fencing to surveillance cameras.<\/p>\n

Watson says this shows how \u201cCISOs often inherit stuff that doesn\u2019t have a lot to do with cybersecurity. It ends up with an accumulation of responsibilities, and it can become a hodgepodge.\u201d<\/p>\n

Expansive knowledge, experience required<\/h2>\n

Watson says that the expansion of CISO responsibilities also expands the areas in which CISOs must be knowledgeable.<\/p>\n

For example, risk management assurance could require CISOs to understand laws and regulations around sustainability, corruption, and modern-day slavery to assure that their organizations don\u2019t use third parties who engage in problematic practices in those areas, he says.<\/p>\n

As a result, he says CISOs now need to be executives with business acumen and industry knowledge as well as crisis leadership skills. They also may need experience or expertise in legal, compliance, procurement, international regulations, and more.<\/p>\n

That can be a stretch for many CISOs, particularly those who advanced their careers solely through the technical ranks, Watson and others say.<\/p>\n

\u201cThe CISO isn\u2019t trained in all these areas and often isn\u2019t capable in all these areas,\u201d Watson adds.<\/p>\n

He believes that scenario can put a company on thin ice but also thinks an expanded CISO position can work under the right circumstances.<\/p>\n

\u201cI don\u2019t have a problem with a CISO having [multiple] roles, but you need the right person in the role. Put the right person in the role for what the capability has become and\/or train the person.\u201d<\/p>\n

Marty Barrack\u2019s executive journey models Watson\u2019s points. Barrack is CISO and chief legal and compliance officer at XiFin, a healthcare information technology company. He also oversees the company\u2019s ESG function.<\/p>\n

There is no such thing as having too many qualifications<\/h2>\n

\u201cIt really is a modern risk role: contract, operations, use of third parties, the vetting of third parties and subcontractors, it all comes together as control over the risk of the organization,\u201d he says. However, Barrack\u2019s qualifications are unlike those of most other CISOs.<\/p>\n

He holds a law degree and an MBA. Prior to joining XiFin, he had worked as a corporate counsel, chief procurement officer, and global privacy officer. He had senior roles at systems integrators and IT services firms. And he had owned his own law firm.<\/p>\n

Among other accomplishments, Barrack also holds several security-related certifications, including Certified Information Security Manager (CISM) and Certified In Risk and Information Systems Control (CRISC) \u2014 both from ISACA. (He is a member of the ISACA Emerging Trends Working Group.) He also earned the EC-Council\u2019s Certified Chief Information Security Officer (CCISO).<\/p>\n

Barrack joined XiFin in 2018 as general counsel \u201cbut very quickly security was given to me because I could translate security issues into perspectives that executives and IT understood, and I was able to help us enhance our maturity,\u201d he says, noting that under his direction the company adopted the NIST security framework and earned HITRUST certification for its largest product.<\/p>\n

Barrack acknowledges he has an uncommon combination of skills and experiences \u2014 and that his role is unusually broad as a result. He says the role will be broken up when he leaves. \u201cI don\u2019t believe one person will step into my shoes,\u201d he adds.<\/p>\n

That, he says, speaks to the specific circumstances that brought the multiple functions under his authority.<\/p>\n

Others speak to this point, too, saying that how, when and where the CISO role adds extra duties is dependent on the factors facing an organization.<\/p>\n

\u201cThe CISO\u2019s evolving role and responsibilities seem to vary based on the size, industry, and culture of an organization, and where they are in the \u2018maturity arc\u2019 of their core responsibilities,\u201d says Ryan Hammer, adjunct professor with Carnegie Mellon University\u2019s CISO Executive Education as well as vice president and CISO at software and systems company Ciena.<\/p>\n

He adds, \u201cOnce they have built a team and strong operating culture, defined strategic objectives and success measurements, and consistently demonstrated execution, many CISOs (or their executive leadership teams) identify adjacent areas that could benefit from a similar approach.\u201d<\/p>\n

When to accept role creep \u2013 and when to say no<\/h2>\n

But the consensus among security leaders who have experienced that kind of slow expansion of duties or \u201crole creep\u201d is that CISOs and their executive colleagues must be mindful of when it will work and when it won\u2019t.<\/p>\n

John Paul (JP) Cunningham, CISO of software company Silverfort, says the position in general has grown over the past few decades from a technical job into an enterprise risk executive role. And while he says many CISOs are well prepared to take on more responsibility, he believes some functions should not fall to the position.<\/p>\n

For example, he says the data protection officer \u201cshould be a standalone officer,\u201d explaining that the CISO and CDO roles deserve someone who has experience in both areas. \u201cI wouldn\u2019t say no one can do the job, but the pool of people who can is very small,\u201d he says. \u201cAnd for those who aren\u2019t qualified, you are setting them up to fail or to burn out.\u201d<\/p>\n

Cunningham says he once was asked if the chief data officer role should fall to him as CISO. \u201cI made a pretty impassioned defense that it shouldn\u2019t be me,\u201d he says. On the other hand, Cunningham has taken on a security evangelism role, working with external stakeholders and industry peers.<\/p>\n

Carl Froggett, who is both CIO and CISO at tech company Deep Instinct, shares similar insights.<\/p>\n

He sees the trend of consolidating some functions under the CISO as positive in the way it helps ensure risk and security are consistent throughout the organization. But, like others, Froggett says what and how much extra should go to the CISO depends on the individual\u2019s experiences and skills as well as the organization\u2019s needs in the moment.<\/p>\n

Hiring becomes more difficult when the role is too broad<\/h2>\n

Furthermore, he cautions that expanding the role too much will make hiring harder, noting that already \u201cthere aren\u2019t enough qualified people with the experience needed to do the CISO job.\u201d<\/p>\n

He also believes there are some tasks the CISO should not take on. \u201cThere are some roles CISO shouldn\u2019t do \u2014 like audit. Audit should have its independence to question your decision as a CISO,\u201d he says as an example.<\/p>\n

Still, Froggett, Cunningham, and others expect the CISO job will continue to expand in scope and require a broader set of skills, experience, and expertise from those filling the roles.<\/p>\n

\u201cOrganizations are seeing the value in the level of diligence, transparency, and consistency CISOs are bringing to their security programs these days. CISOs are also making connections between their responsibilities and adjacent areas of risk that have the potential to impact the companies they serve, such as supply chain, continuity of operations, and product security,\u201d Hammer says.<\/p>\n

\u201cThis is pushing us to get more involved and bring perspective and experience to manage risk in these areas. I think it is a positive development in the evolution of the role. Where it makes sense, it can help a CISO inculcate risk-minded decision-making and practices into other areas of the business.\u201d<\/p>\n<\/div>\n<\/div>\n<\/div>\n<\/div>","protected":false},"excerpt":{"rendered":"

When George Gerchow was CISO at Sumo Logic, his responsibilities incorporated the kind of work typically assigned to a chief information security officer \u2014 no surprise there. But Gerchow was also vice president of IT and during his tenure also assumed responsibility for real estate, such as decision-making about office locations and designs. Given the […]<\/p>\n","protected":false},"author":0,"featured_media":2458,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[3],"tags":[],"class_list":["post-2457","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-education"],"_links":{"self":[{"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/posts\/2457"}],"collection":[{"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/types\/post"}],"replies":[{"embeddable":true,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=2457"}],"version-history":[{"count":0,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/posts\/2457\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/media\/2458"}],"wp:attachment":[{"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=2457"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=2457"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=2457"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}