The role and responsibilities of CISOs are changing, but is the direction right? We asked Tyler Baker of Bitdefender.
What tasks are CISOs currently struggling to do and why?
First, CISOs must strive to stay ahead of the cybercrime curve in the face of expanding attack surfaces and more complex as well as frequent attacks. In doing so, their cybersecurity programs should keep up with the pace of changing business processes and models. But second, their responsibilities have shifted. This no longer extends only to IT or IT security, but to just about every department in the company, such as human resources, legal, sales, or even marketing – to all employees who are on a PC or connected to the Internet.
This reality, exacerbated by the lack of professional and competent specialists, means that CISOs can hardly find a balance between strategic and day-to-day tasks. Many security officers are merely more reactive and hardly act proactively or even strategically.
What role should CISOs have in companies, even though in practice they are often involved elsewhere?
A CISO should actually develop and implement comprehensive cybersecurity strategies that align with overall business objectives. In addition, s/he identifies and assesses security risks and implements security policies and procedures to mitigate risks.
In reality, however, he is involved in areas such as compliance, risk management or general IT operations. This not only distracts him from his core responsibilities, but also exposes an organization to increased security risks. Regardless of this discrepancy, CISOs are playing an increasingly important role: according to a Gartner analysis, CISOs will be members of around 70 percent of supervisory boards in 2026. The prestige of a CISO or a security risk manager (SRM), their visibility and prominence in the company and their scope of activities are definitely growing.
What should be the roles of CISOs in the future? How should CISOs transform themselves?
Hybrid work environments and digital transformation processes dictate the future agenda. They need to constantly improve the security of their digital ecosystems by implementing control mechanisms. In doing so, they then take a holistic view of the increasingly fragmented attack surface. They should also increasingly take the perspective of the hackers in order to be able to contain risks in a prioritized manner.
To do this, CISOs need on the one hand complete oversight of the attack surface and should on the other hand consolidate the fleet of deployed security solutions. CISOs that do not have sufficient resources to implement such a comprehensive IT security program will not be able to do without external help from security experts in the long term as part of a managed detection and response (MDR).
What is required for CISOs to transform?
Until now, security has historically been defined by technologies, people and processes. Technology has played the dominant role. But looking at solutions alone reduces the effectiveness of cybersecurity risk. Even the best security technology won’t protect against the employee who decides to click on a malicious link.
So top security leaders must rediscover the balance between people, process and technology. That’s because all three pillars play an important role in developing sustainable cybersecurity programs. Technology’s role is primarily to reduce the time attackers spend in IT and the response time of defenses. Beyond applications, it’s a matter of understanding defensive processes to suppress attacks at the first signs.
What is your advice to today’s CISOs?
Regardless of the size of the company, C-level security officers should see themselves as decision makers in matters of both security and business development. Therefore, they can no longer just understand technologies. Rather, they need to be able to talk to the entire C-level or to the various department heads. At the same time, they should be looking at ease and efficiency of security through a consolidated IT security portfolio in the company. If that is the case, they will no longer act reactively, but actively.
However, the human factor will remain central: Employee training on phishing is a highly effective defensive measure. After all, many complex attacks still start with simple e-mails including malicious links or attachments. Last but not least, we appeal to the CISO’s insight: Seeking external help, for example in the form of Managed Detection and Response (MDR), is permitted and sooner or later also necessary.
is Senior Manager, Global Security Operations at Bitdefender.