Structural changes necessary: Flavio Villanustre, CISO for the LexisNexis Risk Solutions Group, says many organizations have already made the structural changes necessary to address the rising importance, and specialization, of cybersecurity and risk functions.”The breadth and depth of information security and cybersecurity have increased so significantly over the past two decades that it drove a sea of specializations: SOC, blue and red teams, application security, cloud and infrastructure security, GRC, control monitoring, security architecture, identity and access management, and many more,” Villanustre says.”Gone are the days when a single person could possess all necessary knowledge to cover all cybersecurity needs of a corporation,” he adds. “CISOs nowadays are more akin to CIOs, with a higher focus on security and privacy aspects, managing organizations that span from dozens to hundreds of people, in addition to leading the rest of the company by influence.”But those organizations that continue to saddle CISOs with additional remits risk rendering the role nonviable, says Sanchit Vir Gogia, chief analyst at Greyhound Research. “The CISO role has been pushed to its cognitive, operational, and strategic breaking point,” he says. “This isn’t about performance gaps or capability shortfalls. This is about a job that has been stretched across so many domains that it no longer fits within the bandwidth of a single human being. At least not one who wants to remain effective, credible, and sane.”Gogia says that just in the past half decade CISOs have taken on “business continuity, data privacy, ESG reporting, supply chain integrity, AI governance, physical security, fraud, and even real estate oversight in some cases.””In some organizations, the CISO is also expected to lead risk quantification, participate in executive crisis simulations, and oversee elements of legal and regulatory compliance,” he says. “That’s not scope expansion. That’s an organizational dumping ground.”Gogia suggests that the typical enterprise CISO’s day is overflowing with tasks that prevent the executive from truly performing the fundamental facet of the role: advancing enterprise defense.CISOs today “have to communicate vulnerabilities to engineering teams in the morning, prepare board-level business risk briefings at noon, and resolve a cloud provider dispute by night. That’s not leadership. That’s intellectual triage on a daily loop. The result? Priorities blur. Roadmaps stall. Burnout creeps in not through dramatic collapse but through constant erosion,” Gogia says.”We’ve seen this play out in multiple organizations. Security transformation programs delay quarter after quarter, not because the CISO lacks competence, but because their day is consumed by audit prep, compliance follow-ups, stakeholder briefings, and vendor escalations,” he says.Gogia advises CISOs to work with senior management in taking a critical look at everything the CISO is being asked to do.”What truly belongs? What has been bolted on out of convenience? What requires its own leadership function? In many cases, privacy, physical security, and ESG risk deserve separate ownership,” Gogia says. “Let the CISO be the architect of cyber risk, not the landfill for all loosely related responsibilities.”
First seen on csoonline.com
Jump to article: www.csoonline.com/article/4128992/with-cisos-stretched-thin-re-envisioning-enterprise-risk-may-be-the-only-fix.html
