How has the role of the CISO changed?
Empiric Empiric

How has the role of the CISO changed?

Published 01/04/2019

How has the role of the CISO changed?

The security landscape has been transformed in the last decade. From the attack on Sony in 2014 to the breach of 3 billion Yahoo! accounts to the Equifax hack, cybersecurity failures have rarely been far from the headlines.

One silver lining for these incidents, however, is that enterprise businesses are finally taking security seriously. What’s more, GDPR puts the onus on organisations to report issues and to proactively respond to them – and it has severe penalties for those that demonstrably fail or attempt to cover up breaches.

A wider remit

Over the past two years, security budgets have been increasing and CISOs are now beginning to step out of the shadow of the CIO and into the boardroom. Today’s CISOs may well be characterized as a generation of ‘Chief Cyber Risk Managers’, with a far wider set of responsibilities than in the past, said Sameer Ratolikar, Executive VP and CISO of HDFC Bank, speaking to ExpressComputer. “[The CISO’s remit is seeing] Information and cyber security merge with business continuity (cyber resiliency) and data privacy,” he explains. “Cyber security risk has become a business risk.” 

And businesses are facing digital threats from every angle, with ever more connections to secure across the breadth of the Digital Workspace (while IoT multiplies the number of potentially poorly secured access points far beyond the possibilities of BYOD). Then there’s network security to keep in mind, spanning novel multi-cloud and hybrid cloud infrastructures. And then there are the basics of regular patching, and, perhaps most importantly of all, ensuring good security hygiene in the workforce. After all, even if someone falls for a phishing email, being able to report the breach can make all the difference to the response. CISOs also have to face internal organisational challenges, of course – from legacy tech through to departmental siloing.

Smaller businesses shouldn’t believe that they are small enough to be safe from cyber threats, either. Failing to engage with security will instead leave them easy targets for digital fraud attempts and ransomware attacks, which might be repelled by better secured organisations.

No more ‘The department of “No”’

Significantly, there has also been a change in how security is perceived. A recent IDC report found that security is no longer seen as ‘the department of “No”’ but now balances risk and opportunity to enable change. What’s more, 90% of those surveyed agreed that the CISO was involved in significant business innovation or change decisions; while 46% of executives polled described information security as being “vital to the competitiveness of the products/services offered by the company”.

And this is true at every level. There is increasing recognition that security must be as ingrained in the culture as DevOps. Driving this change, CISOs must become business leaders, not just overseeing hardware but also addressing the full spectrum of risks that face modern, digitally-connected businesses. 

“In my role, you talk to board members and executives who admit they don't fully understand cybersecurity,” Thomas Hill, CISO at Live Oak Bank told TechTarget. “You could simply manage those expectations, and some CISOs do that, but a leader should drive that process to make sure those decision-makers get it.”


CISOs can become part of the process that pushes digital transformation forwards. “As more legislation emerges to define how organizations use and store sensitive data, I expect that CISOs will transition in people's minds to enablers – key consultants in the mandated security elements of development – rather than barriers to product launches,” wrote Francis Dinha, CEO and Co-Founder of OpenVPN Inc.

Leading CISOs will naturally need to be broad technical experts with a strong grounding in regulation; data management; identity/access controls; threat analysis; and system architecture. However, wider business skills are pushed to the fore by the promotion to the boardroom – spanning communications, marketing and finance. Up-and-coming security executives need an aptitude both for thought leadership and for driving new initiatives (ideally on top of a master's degree specialised in digital security).

In any case, the future certainly seems bright for security specialists – and businesses with an eye on the bottom line will be on the lookout for forward-looking CISOs and the security specialists who support them.

About Empiric

Empiric is a multi-award winning business and one of the fastest growing technology and transformation recruitment agency's specialising in data, digital, cloud and security. We supply technology and change recruitment services to businesses looking for both contract and permanent professionals.

Read more (pdf download)

Empiric are committed to changing the gender and diversity imbalance within the technology sector. In addition to Next Tech Girls we proactively target skilled professionals from minority groups which in turn can help you meet your own diversity commitments. Our active investment within the tech community allows us to engage with specific talent pools and deliver a short list of relevant and diverse candidates.

For more information contact 


To view our latest job opportunities click here.


Login to your Empiric account.

Forgot password?


Don't have an account yet?

Create an account now and get access to our online features.


This website uses cookies to ensure you get the best experience on our website