The Evolving Role of the Chief Information Security Officer (CISO)
Part of the Trust in Digital Life Webinar Series 2025
The seventh in the 2025 series of TDL webinars took place on 8 May 2025 when a group of experienced professionals gathered to discuss the role of the Chief Information Security Officer (CISO), how it has evolved over the last few years and its likely future development, The aim was to cover the challenges and opportunities for modern day CISOs, particularly those associated with how the post itself is integrated into organisations, the responsibilities it entails and how it relates to other profiles in the organisation.
The webinar looked at some statistics and studies about burnout before exploring the evolution of the CISO in organisations included the shift of the role from a technical to a business leadership position, and the importance of understanding the business and developing a strategy. It also explored the interpretation and implementation of EU regulations, particularly NIS2 (Network and Information Systems 2.0), and the need for a pragmatic approach. The conversation ended with advice for CISOs of large or medium organisations, emphasising the importance of understanding the business, developing a strategy, and fostering a sense of ownership and innovation within a corporate team. There was general agreement on the importance of continuous learning and adapting to the fast pace of technological changes. This also highlighted the challenges of being an independent consultant and the need for developing skills to quickly come up to speed with the knowledge required for specific tasks.
Background
The position of CISO has evolved over the last few years and is likely to develop further in the future. The aim is to cover challenges and opportunities for modern day CISOs, particularly those associated with how the post itself is integrated into organisations, the responsibilities it entails and how it relates to other profiles in the organisation.
Some of the issues arising are:
Is there any agreement on what a CISO should do and where they should sit in an organisation? And are these realities reflected in current day job descriptions?
What are the key skill sets that are associated with the CISO post and how may they be best developed?
Given that smaller companies do not have the resources of bigger ones, how can the CISO concept be adapted to mid-range and smaller companies? Indeed, do smaller companies actually need a dedicated CISO or would a security engineer suffice??
The Speakers
Moderated by TDL Strategic Advisor, Steve Purser, the speakers were:
Philipp Amann, Group CISO, Osterreichische Post AG
Guy Marong, Cybersecurity Management Expert, Cubic Consulting SARL
Johan Rambi, Interim CISO at Kenter B.V., a Dutch energy solutions and management provider for companies.
CISO's Evolving Role and Challenges
It was noted that the CISO's responsibilities vary by organisation, sector, company size and culture. The CISO's role is shifting from a technical to a business leadership position, as evidenced by a Splunk study. The CISO's relationship with a company's board is generally positive, with 84% of board respondents claiming CISOs meet their expectations. However, 21% of CISOs have been pressured not to report a compliance issue, and 65% of CISOs expect more of a leadership role in the coming year. The CISO's mental health is a concern, with 37.4% reporting occasional negative effects.
CISO Role in Business Operations
A discussion ensued on the experience and perspective of the role of the CISO in a large public organisation, emphasising the importance of understanding the business and the need for a deep understanding of how the business works. It was also mentioned that the CISO role is operational and requires many different dimensions, noting that the CISO should be under the CIO (Chief Information Officer) to simplify things from a board view. A question arose about potential problems with the CIO wearing two hats, but it was seen that it can work well dependng on the particular organisation. It was also mentioned that it helps if the board is security-aware and recognises the importance of cybersecurity.
Security Officers' Role Evolution Challenges
The panellists with extensive experience as security officers discussed the evolution of their roles and the challenges they face, highlighting the importance of separating the security function from the CIO side and the need for a broader scope that includes privacy and strategic advisory roles. The significance of having the right skill set and competencies to effectively manage and respond to cyber incidents was also emphasised. The discussion touched on the varying levels of authority and respect within the enterprise, with experiences and perspectives on roles as C-level functions being shared.
CISO Role Evolves in Organisations
The panellists agreed that the CISO role is shifting from a purely risk mitigation focus to one that involves business enablement. The size of the organisation, industry and maturity level were identified as factors influencing the scope of the CISO's responsibilities. The team also noted that the CISO's role can vary significantly depending on the organisation's size and complexity. It was concluded that while larger organisations most likely have more strategic CISO roles, smaller companies may have more technical roles being sold as CISO positions.
CISO Role Evolution and Challenges
The panellists debated the required skill sets for a CISO, with a consensus that it should include technical skills, problem-solving abilities, collaboration skills and above all a willingness to learn. The importance of communication and strategic thinking in the role was also raised. The evolving nature of the CISO role was acknowledged, with some suggesting that it should be more strategic and less technical. The issue of burnout and stress in the CISO role was touched upon, with the suggestion that the role's evolution and the mismatch between skills and expectations could contribute to these issues.
EU Regulations and Governance Structures
The interpretation and implementation of EU regulations, particularly NIS2, which is primarily a cybersecurity regulation, was discussed, emphasising the need for a pragmatic approach, focusing on securing digital services that deliver, for example, letters and parcels, rather than including all aspects like the physical security of personnel supplies. The importance of job descriptions and governance structures in clarifying roles and responsibilities was highlighted, with the observation that regulations like NIS2 can provide clarity on who is responsible for what, as long as the right governance structure, metrics and control frameworks are in place.
CISOs' Advice for Large Organisations
A discussion followed focusing on advice to be offered to CISOs of large or medium organisations. Firstly, the importance of understanding the business and developing a strategy, while stressing the need for a thorough threat assessment. It was added that understanding an organisation's strategy and vision, as well as knowing stakeholders, is crucial. Another piece of advice shared was to encourage managers to give their teams problems rather than solutions to foster a sense of ownership and innovation.
Experience-based Advice To CISOs
· To advocate for pragmatic approaches to implementing cybersecurity regulations like NIS2 in their respective organisations.
· To focus on understanding their organisation's business, strategy and vision when developing cybersecurity plans.
· To develop analytics capabilities to provide data-driven insights for security management.
· To conduct thorough threat assessments to understand their organisation's threat landscape.
· To engage with stakeholders to understand expectations and align security goals with organisational objectives.
· To empower security leaders and their teams by presenting problems rather than prescribing solutions, encouraging innovation and ownership.