{"id":7104,"date":"2026-02-17T10:01:00","date_gmt":"2026-02-17T10:01:00","guid":{"rendered":"https:\/\/cybersecurityinfocus.com\/?p=7104"},"modified":"2026-02-17T10:01:00","modified_gmt":"2026-02-17T10:01:00","slug":"with-cisos-stretched-thin-re-envisioning-enterprise-risk-may-be-the-only-fix","status":"publish","type":"post","link":"https:\/\/cybersecurityinfocus.com\/?p=7104","title":{"rendered":"With CISOs stretched thin, re-envisioning enterprise risk may be the only fix"},"content":{"rendered":"
\n
\n
\n
\n
<\/div>\n

A majority of enterprise security leaders view their roles as \u201cno longer fully manageable,\u201d according to a recent report, and security consultants concede that the increasingly over-scoped nature of cyber execs\u2019 roles is a problem not easily fixed.<\/p>\n

At issue is the fact that companies have consistently broadened the CISO\u2019s jurisdiction and responsibilities<\/a> without providing new resources to accomplish it.<\/p>\n

\u201cGiven the CISO role\u2019s continued expansion across new functional domains and enterprise-wide responsibilities, more than half (52%) of CISOs reported their scope is no longer fully manageable,\u201d the 2026 State of the CISO Benchmark Report<\/a> from IANS Research and Artico Search found. \u201cCISOs warn scope-resource imbalances may have far-reaching consequences including delays in strategic priorities, erosion of long-term resilience and reactive security operations with diminishing quality.\u201d<\/p>\n

In addition to traditional information security responsibilities, such as security operations, security engineering, GRC, and application security, many CISOs now oversee business risk functions, including risk and compliance, third-party risk management, disaster recovery, and product security. \u201cNearly 30% also have ownership over parts of the IT stack, including IT compliance, IT operations, or networking,\u201d the survey of 662 CISOs found.<\/p>\n

Cybersecurity consultant Brian Levine<\/a>, a former federal prosecutor who serves as executive director of FormerGov, says CISOs can\u2019t be expected to handle everything that touches cybersecurity that no one else wants.<\/p>\n

\u201cEnterprise CISOs aren\u2019t just burned out; they\u2019re boxed in. The title keeps rising, but the influence doesn\u2019t always follow,\u201d Levine says. \u201cThe modern CISO isn\u2019t just running a security program anymore. They are running a geopolitical, regulatory, and enterprise\u2011wide risk portfolio. The scope has exploded so fast that the role is outpacing what any one person can reasonably own.\u201d<\/p>\n

As a result, CISOs are increasingly being placed in an impossible position \u2014\u00a0and one that is becoming a single point of failure for many organizations.<\/p>\n

\u201cWhen a single executive is accountable for everything from identity to AI governance to third\u2011party risk, it stops being a job and starts being an impossible expectation. That\u2019s exactly what I\u2019m seeing across the enterprise landscape,\u201d Levine says.<\/p>\n

And those impossible expectations are coming with few added resources, Aaron Painter<\/a>, CEO of Nametag, points out.<\/p>\n

\u201cThe scope has expanded faster than authority, budget, or organizational alignment,\u201d he says. \u201cCISOs are now expected to cover cloud, identity, insider risk, third parties, AI-driven threats, and deepfakes, often with the same teams and tools they had five years ago.\u201d<\/p>\n

A question of ownership and influence<\/h2>\n

At issue is an increasing perception that \u201cthe CISO can be the catch\u2011all for every emerging threat,\u201d Levine notes.<\/p>\n

Fixing the situation, for CISOs and organizations alike, will likely require a rethink of how security and risk leadership should be structured, he says.<\/p>\n

\u201cThe solution isn\u2019t to find superhuman CISOs. It\u2019s to redesign the role, distribute responsibility, and give them the authority to match the accountability,\u201d Levine advises. \u201cThe unmanageable part isn\u2019t the work: It\u2019s the mismatch between responsibility and influence. Until boards rebalance that equation, CISOs will continue to feel like they\u2019re set up to fail.\u201d<\/p>\n

The CISO at a Fortune 100 manufacturer, who asked that his name and company not be referenced, said his purview before he became CISO was exponentially more manageable.<\/p>\n

Today, as CISO, he says, \u201cthere is no safe space. When I was just running the operational side, I was on top of it, I was confident, and I felt in control. I don\u2019t confidently know everything that is happening today like I did before. I feel vulnerable or naked talking to my boss or the board. I need to focus on too many things that oppose each other. You can\u2019t be an expert in everything.\u201d<\/p>\n

Erik Avakian<\/a>, technical counselor at Info-Tech Research Group, has seen this soup-to-nuts CISO jurisdiction in use across many verticals.<\/p>\n

\u201cThe CISO role is quietly becoming unmanageable,\u201d he says. \u201cThe nature of the job itself has changed. The modern CISO is expected to be a technologist, a risk executive, a compliance authority, a business strategist, a crisis manager, a public-facing spokesperson during incidents, and a de facto owner of third-party support. And to do all of that in an increasingly complex and rapidly morphing cybersecurity risk landscape.\u201d<\/p>\n

Avakian adds: \u201cBoards and executives have to decide what the CISO truly owns versus what they influence. You cannot hold someone accountable for enterprise cybersecurity risk while also making them responsible for every firewall rule, phishing click, and third-party vendor misstep.\u201d<\/p>\n

A board-level rethink of cyber strategy is also imperative, he says.\u00a0<\/p>\n

\u201cStrategy and operations need to be intentionally tiered. The CISO has to be structurally treated as a risk executive,\u201d Avakian notes. \u201cThat means access to the CEO and board, business visibility and access, and the authority proportional to accountability and governance models that treat cyber risk like financial or legal risk, and shared ownership across the business.\u201d<\/p>\n

Structural changes necessary<\/h2>\n

Flavio Villanustre<\/a>, CISO for the LexisNexis Risk Solutions Group,\u00a0 says many organizations have already made the structural changes necessary to address the rising importance \u2014 and specialization \u2014\u00a0of cybersecurity and risk functions.<\/p>\n

\u201cThe breadth and depth of information security and cybersecurity have increased so significantly over the past two decades that it drove a sea of specializations: SOC, blue and red teams, application security, cloud and infrastructure security, GRC, control monitoring, security architecture, identity and access management, and many more,\u201d Villanustre says.<\/p>\n

\u201cGone are the days when a single person could possess all necessary knowledge to cover all cybersecurity needs of a corporation,\u201d he adds. \u201cCISOs nowadays are more akin to CIOs, with a higher focus on security and privacy aspects, managing organizations that span from dozens to hundreds of people, in addition to leading the rest of the company by influence.\u201d<\/p>\n

But those organizations that continue to saddle CISOs with additional remits risk rendering the role nonviable, says Sanchit Vir Gogia<\/a>, chief analyst at Greyhound Research.\u00a0<\/p>\n

\u201cThe CISO role has been pushed to its cognitive, operational, and strategic breaking point,\u201d he says. \u201cThis isn\u2019t about performance gaps or capability shortfalls. This is about a job that has been stretched across so many domains that it no longer fits within the bandwidth of a single human being. At least not one who wants to remain effective, credible, and sane.\u201d<\/p>\n

Gogia says that just in the past half decade CISOs have taken on \u201cbusiness continuity, data privacy, ESG reporting, supply chain integrity, AI governance, physical security, fraud, and even real estate oversight in some cases.\u201d<\/p>\n

\u201cIn some organizations, the CISO is also expected to lead risk quantification, participate in executive crisis simulations, and oversee elements of legal and regulatory compliance,\u201d he says. \u201cThat\u2019s not scope expansion. That\u2019s an organizational dumping ground.\u201d<\/p>\n

Gogia suggests that the typical enterprise CISO\u2019s day is overflowing with tasks that prevent the executive from truly performing the fundamental facet of the role: advancing enterprise defense.<\/p>\n

CISOs today \u201chave to communicate vulnerabilities to engineering teams in the morning, prepare board-level business risk briefings at noon, and resolve a cloud provider dispute by night. That\u2019s not leadership. That\u2019s intellectual triage on a daily loop. The result? Priorities blur. Roadmaps stall. Burnout creeps in not through dramatic collapse but through constant erosion,\u201d Gogia says.<\/p>\n

\u201cWe\u2019ve seen this play out in multiple organizations. Security transformation programs delay quarter after quarter, not because the CISO lacks competence, but because their day is consumed by audit prep, compliance follow-ups, stakeholder briefings, and vendor escalations,\u201d he says.<\/p>\n

Gogia advises CISOs to work with senior management in taking a critical look at everything the CISO is being asked to do.<\/p>\n

\u201cWhat truly belongs? What has been bolted on out of convenience? What requires its own leadership function? In many cases, privacy, physical security, and ESG risk deserve separate ownership,\u201d Gogia says. \u201cLet the CISO be the architect of cyber risk, not the landfill for all loosely related responsibilities.\u201d<\/p>\n<\/div>\n<\/div>\n<\/div>\n<\/div>","protected":false},"excerpt":{"rendered":"

A majority of enterprise security leaders view their roles as \u201cno longer fully manageable,\u201d according to a recent report, and security consultants concede that the increasingly over-scoped nature of cyber execs\u2019 roles is a problem not easily fixed. At issue is the fact that companies have consistently broadened the CISO\u2019s jurisdiction and responsibilities without providing […]<\/p>\n","protected":false},"author":0,"featured_media":7105,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[3],"tags":[],"class_list":["post-7104","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-education"],"_links":{"self":[{"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/posts\/7104"}],"collection":[{"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/types\/post"}],"replies":[{"embeddable":true,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=7104"}],"version-history":[{"count":0,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/posts\/7104\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/media\/7105"}],"wp:attachment":[{"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=7104"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=7104"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=7104"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}