{"id":3484,"date":"2025-06-09T10:00:00","date_gmt":"2025-06-09T10:00:00","guid":{"rendered":"https:\/\/cybersecurityinfocus.com\/?p=3484"},"modified":"2025-06-09T10:00:00","modified_gmt":"2025-06-09T10:00:00","slug":"cisos-reposition-their-roles-for-business-leadership","status":"publish","type":"post","link":"https:\/\/cybersecurityinfocus.com\/?p=3484","title":{"rendered":"CISOs reposition their roles for business leadership"},"content":{"rendered":"
\n
\n
\n
\n
<\/div>\n

They may have the word \u201csecurity\u201d in their title, but the mandate for today\u2019s CISOs is to evolve from being security gatekeepers to architects of business continuity and operational resilience.<\/p>\n

No longer are CISOs solely focused on locking down things like firewalls and conducting compliance checks. Now, they\u2019re involved in broader conversations about business growth, digital strategy, and customer trust. They\u2019re expected to deeply understand the business and know the company\u2019s goals, revenue streams, and assets to prioritize security assets effectively.<\/p>\n

Many are also overseeing IT functions to ensure alignment between security protocols and operational efficiency.<\/p>\n

In short, instead of just saying \u201cno\u201d to risk, they\u2019re assessing cyber risks in the overall business risk context, helping the organization make informed decisions about risk appetite. This requires a strategic mindset and the ability to communicate complex security issues in business-friendly terms.<\/p>\n

As cyber threats increasingly disrupt business operations, boards now look to their security leaders not just for protection but for proactive insights that shape everything from investment decisions related to tech infrastructure to product development and data governance.<\/p>\n

CISOs are embracing this newfound recognition of their elevated roles<\/a> with gusto. Here is a look at how some CISOs have transformed themselves into more integral business leaders for their organizations.<\/p>\n

Gaining trust with the board, other leadership<\/h2>\n

Amit Basu<\/a>\u2019s role as CISO of International Seaways has been expanded to include the titles of vice president and CIO as well. This is not surprising, he says, because Seaways\u2019 board realizes security is woven into every business function.<\/p>\n

\u201cAs digital transformation accelerates and cyber risk becomes a core business concern, CISOs are now expected to align security initiatives with broader organizational goals, drive resilience, and enable innovation,\u201d Basu says. \u201cSecurity requirements are now intertwined with every digital project from the conception stage, ensuring that digital investments are built with the resilience needed to deliver business value despite evolving threats. This integration elevates the CISO\u2019s role, positioning them as a key strategic leader within the enterprise.\u201d<\/p>\n

\n

Amit Basu, VP, CIO, and CISO, International Seaways<\/p>\n

International Seaways<\/p>\n<\/div>\n

It\u2019s up to the CISO to gain the trust of the management team and the board so they understand that security is not an IT issue or a technical problem, Basu stresses. It requires \u201cemotional intelligence,\u201d as well as some boldness and visionary leadership, he says.<\/p>\n

Basu\u2019s dual-titled role is emblematic of a rising trend<\/a> in the C-suite that sees security leaders better positioned, sometimes even than CIOs<\/a>, to lead tomorrow\u2019s tech departments.<\/p>\n

Giving it to them straight<\/h2>\n

CISOs are now working with business leaders and boards to ensure that cybersecurity considerations<\/a> are embedded into every issue, Basu says. \u201cAnd, they have become translators for articulating the complex technology risks in business terms that resonate with senior leadership.\u201d<\/p>\n

When CISOs communicate effectively, or have what Basu calls \u201ca storytelling skill<\/a>,\u201d that elevates them from an operational manager to a trusted advisor and a strategy leader.<\/p>\n

Communication is a key strategy for building trust and influence across the organization, agrees Gaurav Kapil<\/a>, senior vice president and CISO at financial services firm Bread Financial.<\/p>\n

\u201cThe CISOs of the present and the future need to get out of being just technologists and build their influence muscle as well as their communication muscle,\u201d Kapil says. They need to be able to \u201crelay the technology and cyber messaging in words and meanings where a non-technologist actually understands why we\u2019re doing what we\u2019re doing.\u201d<\/p>\n

For example, a CISO saying, \u201cI need to implement a new vulnerability management capability,\u201d doesn\u2019t mean anything to businesspeople, Kapil notes. \u201cBut translating that into the value it provides to the organization and the benefits it provides, the risk it reduces, the business it enables \u2014 all those mechanisms enable the CISO to build their trust vault.\u201d This needs to be a continuous exercise, he adds. \u201cIt\u2019s not transactional but more of a value- based conversation.\u201d<\/p>\n

Having risk rather than cyber conversations<\/h2>\n

Bread Financial holds a lot of personally identifiable information (PII) for millions of customers, and it goes without saying that it needs to be protected. Naturally, the business cares about abiding by all the regulatory requirements a financial services firm is subject to, Kapil says, but he needs to always be thinking beyond that, especially when it comes to the implications of this PII being leveraged in an unauthorized way.<\/p>\n

\u201cTalking about encryption and tokenization is not really going to help the business,\u201d he says. \u201cBut talking about, \u2018If we do not secure the information and its access for unauthorized purposes, here are the implications,\u2019\u201d including loss of customer confidence, regulatory fines and additional oversight, and reputational loss \u2014 \u201cthose are the kinds of things the business cares about more.\u201d<\/p>\n

\n

Gaurav Kapil, SVP and CISO, Bread Financial<\/p>\n

Bread Financial<\/p>\n<\/div>\n

Further, instead of playing \u201ca policing role,\u201d CISOs need to think artfully about forming more influential relationships; and instead of having cyber conversations, have risk conversations, Kapil says.<\/p>\n

That notion of transforming one\u2019s mindset into that of a risk officer is something many CISOs see as a future foundation of the top security officer role<\/a>.<\/p>\n

\u201cIn my role, I partnered with my peers across technology from a product development [and] platform perspective, from a cyber risk or a tech risk perspective, where we partner with my enterprise risk leaders\u201d and have more risk conversations discussing the \u201cwhy,\u201d and the value something will bring to the organization, Kapil says.<\/p>\n

As the conversation shifts, Kapil has become adept at identifying the big \u201crisk blocks in our portfolio,\u201d and weighing those against business priorities, which also adds value to the role, he says.<\/p>\n

\u201cOtherwise, if you\u2019re just solving for the next thing, we\u2019re not really being risk aware, and we\u2019re just doing things for the sake of doing things, which is not the best way of operating,\u201d he adds.<\/p>\n

Becoming an enabling CISO<\/h2>\n

In 2018, a CISO report from Synopsys identified four different types of CISO \u201ctribes,\u201d each with its own distinct characteristics. Chad LeMaire<\/a>, deputy CISO at NDR platform provider ExtraHop, and currently interim CISO, characterizes himself as an enabler CISO.<\/p>\n

\u201cCISOs who are enablers can have the greatest impact on the business because they understand the business objectives,\u201d LeMaire explains. \u201cI like to say we don\u2019t do cybersecurity for cybersecurity\u2019s sake. \u2026 Ultimately, we do cybersecurity to contribute to the goals, missions, and objectives of the greater organization. When you\u2019re an enabler that\u2019s what you\u2019re doing.\u201d<\/p>\n

\n

Chad LeMaire, interim CISO, ExtraHop<\/p>\n

ExtraHop<\/p>\n<\/div>\n

There is security risk and there is enterprise risk<\/a>, and the CISO has become the \u201clinchpin that ties all the departments together as we identify risk,\u201d says LeMaire.<\/p>\n

Charged with managing enterprise risk along with security operations, LeMaire works with other departments and in tandem with ExtraHop\u2019s CIO to develop a risk matrix score and formulate plans to mitigate risk. \u201cThen you\u2019re left with what is referred to as \u2018residual risk,\u2019 that focuses on risk to the organization,\u201d he says. This is not necessarily security focused, he says, because it affects all departments, but CISOs are involved with broader risk management.<\/p>\n

CISOs are now also more frequently responsible for operational planning, which encompasses business impact analysis<\/a> and creating disaster recovery<\/a> and incident response plans<\/a>, LeMaire says. They must coordinate tabletop exercises<\/a> so when something happens, everyone knows what the plan is and what their role is to ensure the business continues to operate.<\/p>\n

\u201cIt\u2019s greater than cybersecurity at that point,\u201d he says. \u201cContingency could be a disaster that is not related to cybersecurity \u2014 but there are cybersecurity impacts based on certain disasters.\u201d<\/p>\n

Bread Financial\u2019s Kapil is also responsible for business continuity and disaster recovery. That, coupled with a whole host of other functions enables him to set the right agenda for the cyber organization, build the right architecture to support cyber strategies, implement a zero trust environment<\/a>, and ensure anomalous activities are monitored in real-time. Having a breadth of responsibilities, Kapil says, enables him to run a safe and secure organization.<\/p>\n

Helping the organization recognize that cyber needs to transform, too<\/h2>\n

Like many organizations, Bread Financial is in the midst of a business and digital transformation. Kapil believes strongly that the security organization also has to transform.<\/p>\n

\u201cA tech transformation cannot be successful without a cyber transformation as well,\u201d he says. To do this successfully requires Kapil to think outside the box and align the IT and cyber practices that will enable the company to be a tech-forward financial services organization.<\/p>\n

\u201cWe can\u2019t afford to just be cyber technologists. We\u2019ve got to get out of our box and speak the language of risk, speak the value, the language of our finance partners,\u201d Kapil says. It\u2019s up to the CISO to make the CFO understand<\/a> why security has the budget it has and the value the organization provides.<\/p>\n

\u201cWe\u2019re leveraging tech and cyber to enable the business, enable the partners, and ensuring that this business platform continues to be a safe and secure operating platform. That is key to the underlying message,\u201d he says.<\/p>\n

A business-focused title emerges<\/h2>\n

With CISOs repositioning their roles and in recognition of how integral security has become to the business, some larger organizations are now adding business information security officers (BISOs) to their leadership teams. A BISO<\/a> is embedded into the business and understands and aligns with strategic priorities and risk frameworks<\/a>, says Michael Petrik, securities industry risk group associate at FS-ISAC, which has developed a BISO Program and Role White Paper<\/a> for the financial sector.<\/p>\n

The BISO role emerged to bridge the gap between business objectives and cybersecurity oversight that has existed in many companies, Petrik says.<\/p>\n

\u201cBy acting as a liaison between business, technology, and cybersecurity teams, the BISO ensures that security measures are aligned with business strategies and integrated effectively,\u201d he says. Digital transformation, emerging technologies, and rapid innovation are business mandates, and security teams add value and manage risk better when they are involved before a platform is selected or implemented, he says.<\/p>\n

A BISO should be viewed as a complement to a CISO \u2014 not a replacement, Petrik stresses.<\/p>\n

CISOs have a widening set of responsibilities including enterprise-wide cybersecurity strategies, establishing policies, and managing overarching cyber risk. The BISO is an extension of the role by translating technical security knowledge into core business applications, Petrik says.<\/p>\n

As CISOs look to reposition their roles for more business-centric responsibilities, they can utilize BISOs to help them gain greater visibility, more agility, and improved alignment across the organization, Petrik says.<\/p>\n<\/div>\n<\/div>\n<\/div>\n<\/div>","protected":false},"excerpt":{"rendered":"

They may have the word \u201csecurity\u201d in their title, but the mandate for today\u2019s CISOs is to evolve from being security gatekeepers to architects of business continuity and operational resilience. No longer are CISOs solely focused on locking down things like firewalls and conducting compliance checks. Now, they\u2019re involved in broader conversations about business growth, […]<\/p>\n","protected":false},"author":0,"featured_media":3485,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[3],"tags":[],"class_list":["post-3484","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-education"],"_links":{"self":[{"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/posts\/3484"}],"collection":[{"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/types\/post"}],"replies":[{"embeddable":true,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=3484"}],"version-history":[{"count":0,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/posts\/3484\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/media\/3485"}],"wp:attachment":[{"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=3484"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=3484"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=3484"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}