URL has been copied successfully!
CISOs reposition their roles for business leadership
URL has been copied successfully!

Collecting Cyber-News from over 60 sources

CISOs reposition their roles for business leadership


Tags: , , , , , , , , , , , , , , , , , , , ,

Amit Basu, VP, CIO, and CISO, International Seaways

International SeawaysIt’s up to the CISO to gain the trust of the management team and the board so they understand that security is not an IT issue or a technical problem, Basu stresses. It requires “emotional intelligence,” as well as some boldness and visionary leadership, he says.Basu’s dual-titled role is emblematic of a rising trend in the C-suite that sees security leaders better positioned, sometimes even than CIOs, to lead tomorrow’s tech departments.

Giving it to them straight: CISOs are now working with business leaders and boards to ensure that cybersecurity considerations are embedded into every issue, Basu says. “And, they have become translators for articulating the complex technology risks in business terms that resonate with senior leadership.”When CISOs communicate effectively, or have what Basu calls “a storytelling skill,” that elevates them from an operational manager to a trusted advisor and a strategy leader.Communication is a key strategy for building trust and influence across the organization, agrees Gaurav Kapil, senior vice president and CISO at financial services firm Bread Financial.”The CISOs of the present and the future need to get out of being just technologists and build their influence muscle as well as their communication muscle,” Kapil says. They need to be able to “relay the technology and cyber messaging in words and meanings where a non-technologist actually understands why we’re doing what we’re doing.”For example, a CISO saying, “I need to implement a new vulnerability management capability,” doesn’t mean anything to businesspeople, Kapil notes. “But translating that into the value it provides to the organization and the benefits it provides, the risk it reduces, the business it enables, all those mechanisms enable the CISO to build their trust vault.” This needs to be a continuous exercise, he adds. “It’s not transactional but more of a value- based conversation.”

Having risk rather than cyber conversations: Bread Financial holds a lot of personally identifiable information (PII) for millions of customers, and it goes without saying that it needs to be protected. Naturally, the business cares about abiding by all the regulatory requirements a financial services firm is subject to, Kapil says, but he needs to always be thinking beyond that, especially when it comes to the implications of this PII being leveraged in an unauthorized way.”Talking about encryption and tokenization is not really going to help the business,” he says. “But talking about, ‘If we do not secure the information and its access for unauthorized purposes, here are the implications,’” including loss of customer confidence, regulatory fines and additional oversight, and reputational loss, “those are the kinds of things the business cares about more.”

Gaurav Kapilb2b-contenthub.com/wp-content/uploads/2025/06/guarav-kapil-cso-16×9-1.jpg?resize=300%2C168&quality=50&strip=all 300w, b2b-contenthub.com/wp-content/uploads/2025/06/guarav-kapil-cso-16×9-1.jpg?resize=768%2C432&quality=50&strip=all 768w, b2b-contenthub.com/wp-content/uploads/2025/06/guarav-kapil-cso-16×9-1.jpg?resize=1024%2C576&quality=50&strip=all 1024w, b2b-contenthub.com/wp-content/uploads/2025/06/guarav-kapil-cso-16×9-1.jpg?resize=1536%2C864&quality=50&strip=all 1536w, b2b-contenthub.com/wp-content/uploads/2025/06/guarav-kapil-cso-16×9-1.jpg?resize=1240%2C697&quality=50&strip=all 1240w, b2b-contenthub.com/wp-content/uploads/2025/06/guarav-kapil-cso-16×9-1.jpg?resize=150%2C84&quality=50&strip=all 150w, b2b-contenthub.com/wp-content/uploads/2025/06/guarav-kapil-cso-16×9-1.jpg?resize=854%2C480&quality=50&strip=all 854w, b2b-contenthub.com/wp-content/uploads/2025/06/guarav-kapil-cso-16×9-1.jpg?resize=640%2C360&quality=50&strip=all 640w, b2b-contenthub.com/wp-content/uploads/2025/06/guarav-kapil-cso-16×9-1.jpg?resize=444%2C250&quality=50&strip=all 444w” width=”1024″ height=”576″ sizes=”(max-width: 1024px) 100vw, 1024px” />
Becoming an enabling CISO: In 2018, a CISO report from Synopsys identified four different types of CISO “tribes,” each with its own distinct characteristics. Chad LeMaire, deputy CISO at NDR platform provider ExtraHop, and currently interim CISO, characterizes himself as an enabler CISO.”CISOs who are enablers can have the greatest impact on the business because they understand the business objectives,” LeMaire explains. “I like to say we don’t do cybersecurity for cybersecurity’s sake. “¦ Ultimately, we do cybersecurity to contribute to the goals, missions, and objectives of the greater organization. When you’re an enabler that’s what you’re doing.”

Chad LeMaireb2b-contenthub.com/wp-content/uploads/2025/06/chad-lemaire-cso-16×9-1.jpg?resize=300%2C168&quality=50&strip=all 300w, b2b-contenthub.com/wp-content/uploads/2025/06/chad-lemaire-cso-16×9-1.jpg?resize=768%2C432&quality=50&strip=all 768w, b2b-contenthub.com/wp-content/uploads/2025/06/chad-lemaire-cso-16×9-1.jpg?resize=1024%2C576&quality=50&strip=all 1024w, b2b-contenthub.com/wp-content/uploads/2025/06/chad-lemaire-cso-16×9-1.jpg?resize=1536%2C864&quality=50&strip=all 1536w, b2b-contenthub.com/wp-content/uploads/2025/06/chad-lemaire-cso-16×9-1.jpg?resize=1240%2C697&quality=50&strip=all 1240w, b2b-contenthub.com/wp-content/uploads/2025/06/chad-lemaire-cso-16×9-1.jpg?resize=150%2C84&quality=50&strip=all 150w, b2b-contenthub.com/wp-content/uploads/2025/06/chad-lemaire-cso-16×9-1.jpg?resize=854%2C480&quality=50&strip=all 854w, b2b-contenthub.com/wp-content/uploads/2025/06/chad-lemaire-cso-16×9-1.jpg?resize=640%2C360&quality=50&strip=all 640w, b2b-contenthub.com/wp-content/uploads/2025/06/chad-lemaire-cso-16×9-1.jpg?resize=444%2C250&quality=50&strip=all 444w” width=”1024″ height=”576″ sizes=”(max-width: 1024px) 100vw, 1024px” />
Helping the organization recognize that cyber needs to transform, too: Like many organizations, Bread Financial is in the midst of a business and digital transformation. Kapil believes strongly that the security organization also has to transform.”A tech transformation cannot be successful without a cyber transformation as well,” he says. To do this successfully requires Kapil to think outside the box and align the IT and cyber practices that will enable the company to be a tech-forward financial services organization.”We can’t afford to just be cyber technologists. We’ve got to get out of our box and speak the language of risk, speak the value, the language of our finance partners,” Kapil says. It’s up to the CISO to make the CFO understand why security has the budget it has and the value the organization provides.”We’re leveraging tech and cyber to enable the business, enable the partners, and ensuring that this business platform continues to be a safe and secure operating platform. That is key to the underlying message,” he says.

A business-focused title emerges: With CISOs repositioning their roles and in recognition of how integral security has become to the business, some larger organizations are now adding business information security officers (BISOs) to their leadership teams. A BISO is embedded into the business and understands and aligns with strategic priorities and risk frameworks, says Michael Petrik, securities industry risk group associate at FS-ISAC, which has developed a BISO Program and Role White Paper for the financial sector.The BISO role emerged to bridge the gap between business objectives and cybersecurity oversight that has existed in many companies, Petrik says.”By acting as a liaison between business, technology, and cybersecurity teams, the BISO ensures that security measures are aligned with business strategies and integrated effectively,” he says. Digital transformation, emerging technologies, and rapid innovation are business mandates, and security teams add value and manage risk better when they are involved before a platform is selected or implemented, he says.A BISO should be viewed as a complement to a CISO, not a replacement, Petrik stresses.CISOs have a widening set of responsibilities including enterprise-wide cybersecurity strategies, establishing policies, and managing overarching cyber risk. The BISO is an extension of the role by translating technical security knowledge into core business applications, Petrik says.As CISOs look to reposition their roles for more business-centric responsibilities, they can utilize BISOs to help them gain greater visibility, more agility, and improved alignment across the organization, Petrik says.

First seen on csoonline.com

Jump to article: www.csoonline.com/article/4002753/cisos-reposition-their-roles-for-business-leadership.html

Loading

Share via Email
Share on Facebook
Tweet on X (Twitter)
Share on Whatsapp
Share on LinkedIn
Share on Xing
Copy link

also interesting:

  1. 25 on 2025: APAC security thought leaders share their predictions and aspirations
  2. 7 biggest cybersecurity stories of 2024
  3. Blown the cybersecurity budget? Here are 7 ways cyber pros can save money
  4. Cybersecurity Snapshot: Experts Issue Best Practices for Migrating to Post-Quantum Cryptography and for Improving Orgs’ Cyber Culture