What’s next for the CISO role?
As executive vice president and CISO, Jerry Geisler is a top-level executive at Walmart.
That rank, along with continued investment in the cybersecurity program, reflects his company’s commitment “to being a cyber secure company,” he says.
What’s more, it highlights the continuing evolution of the CISO role.
“In the past, security was often an afterthought in the digital landscape. However, in 2024, organizations are prioritizing building secure apps, systems, and services. Walmart stands out as a trailblazer in this regard, as the company has long emphasized infosec. Elevating the CISO role to the executive vice president level at Walmart showcases a global rarity,” Geisler says.
He adds: “This positive trend highlights the growing importance of CISOs in shaping business-level decisions across various sectors.”
Geisler, one of 10 CSO Hall of Fame inductees this year, is not alone in his observations. Others in the 2024 Hall of Fame cohort also see the CISO role continuing its shift from its traditional technical roots to a high-level strategic executive. With that, they see an expansion of responsibilities being assigned to security chiefs.
Walmart
“When I first started my career, cyber was embedded into IT, and IT was still considered a back-office function. Cyber was thought of more like an insurance, but it has since evolved into a front-office function that is now a differentiator and helps grow the business,” says Teresa Zielinski, vice president and global CISO of GE Vernova. “Today, the CISO role is evolving even further. We now see it evolving into a more executive role with strategy, where it’s leading not only cyber but also risk and resiliency.”
More responsibilities, more accountability
The work of the chief security officer has been in flux since its origins in the mid-1990s, and Zielinski’s career has mirrored the position’s trajectory.
Like many CISOs, Zielinski started her career in IT, spending 12 years in that space. In 2009 she was pulled into cybersecurity, when asked to lead a team tasked with responding to an incident.
Zielinski right away understood that cybersecurity was not only about preventing bad things from happening but could also be for enabling business objectives.
She saw that cybersecurity cut across all functions and knew the processes and technologies that ran the business, allowing security leaders to see the big picture; that security was well-versed on the numerous risks, regulations, and requirements facing the organization; and, through its work with IT on product security, connected with customers and impacted their experience and sense of trust in the organization.
“Cyber has to thread the needle across every single function to get gaps closed and get processes working as they should,” she says. “In security, you have to understand what customers need, what regulations to meet, and you have to use that understanding to influence your executive colleagues. As I saw that, that’s when I knew the role was bigger, that it was not about having cyber for insurance but being proactive to enable the business.”
She cites as evidence the adoption of a “security-first mentality” among more and more organizations, where security is built into digital products from the start and as a given — the way that safety, for example, is not an afterthought with the production of cars but part and parcel to it.
GE Vernova
“No one would buy a car without safety features. That has to be the same with digital products, especially with AI and generative AI services,” she says.
Furthermore, Zielinski sees more CISOs taking on an even broader suite of responsibilities in the future and moving into the highest echelons of enterprise leadership as they do.
More specifically, she sees cybersecurity duties merging with risk and resiliency responsibilities. It’s logical, she adds, as cybersecurity and risk and resiliency are all about identifying and closing gaps so that the organization not only can survive an incident but can actually thrive despite all the risks.
“The CISO and the chief risk officer will either work more closely together or it might become one-in-the-same role leading not only cyber but also risk and resiliency,” Zielinski adds.
Canadian National Railroad CISO Vaughn Hazen says he, too, sees the role assuming greater responsibility for risk than it had in the past.
“It is already fundamentally a risk role; it’s about managing risk,” he says, adding that the growing number of security regulations is creating a push to have CISOs take on more elements of compliance, too.
He points out that CISOs today often have responsibility for data privacy, and he sees more CISOs owning third-party risk and supply chain risk — a trend he expects will continue.
Such trends are ramping up both the pressure on CISOs and the level of accountability they take on, he adds.
“You have to know what your exposures are, so you have to understand the business and the potential impacts to the business for those risks. You have to understand how the policies, processes, and technologies you put in place impact risk and the organization as a whole. And you have to be able to defend your decisions,” Hazen says. “You have to develop the mindset: ‘If I had to defend my positions in court, would I feel comfortable with the decisions I made?’ and answer yes.”
Canadian National Railroad
The rise of the chief cyber and risk officer
Gary Hayslip, CISO for Softbank Investment Advisers, sees a similar trend for the future.
“I see the role now as using technology, people, and process to manage risk,” he says, calling such moves part of the maturing of the chief security position.
That, in turn, is reshaping CISO duties and changing the nature of the position in many organizations, he says.
He knows of CISO positions that oversee governance, risk, and compliance (GRC), others that have risk and network infrastructure, and still others that have risk and IT. He expects future titles will reflect that consolidation, with CISO turning into chief cyber and risk officer or chief cyber and privacy officer (changes that already are happening in limited numbers).
“That consolidation is going to become the norm,” Hayslip adds.
Softbank Investment Advisers
Susan Koski, executive vice president and CISO for PNC Bank, likewise sees CISOs taking on more.
“CISOs have a broad remit and must shift from technology to legal, marketing, communications, relationship management, and finance,” she says. “This is leading to more CISOs being asked to take broader roles with some even becoming chief information officers. There is also a natural progression to include physical security and fraud within the role and a fusion of certain other functions for optimal delivery. The position will continue to evolve, particularly around identity — with the need to appropriately and continuously validate clients and employees and reduce the reliance on phishable credentials.”
All this, however, does not replace or even supersede the need for CISOs to be technically astute as well as fully versed in the longstanding foundations of cybersecurity operations and evolving best practices, according to 2024 Hall of Famers.
“Cyber is still cyber. You still have basic cyber hygiene to do,” Hayslip says.
PNC Bank
Drivers of evolution
Many factors have driven the evolution of the CISO role to date and will continue to do so in the future. But one big driver is the arrival of digital everything, which happened over the past two decades or so.
“With the nature of business today, security is more intertwined with operations, and if you don’t get security correct, the impact on business is more significant now [than in the past],” Hayslip says.
Looking toward the future, Geisler believes the changing tech landscape will continue to drive a CISO evolution.
“In the ever-evolving tech landscape, the CISO role remains critical to businesses, foreseeing continuous evolution. As functional leaders, CISOs navigate advancements from automation to gen AI, following where technology leads,” he says. “While AI dominates current discussions, the future of quantum computing looms large. In a five-to-seven-year time horizon, quantum computing is poised to rival the current gen AI spotlight. The sheer volume of data, processing requirements, and speed will become paramount concerns for many CISOs.”
Other inductees cite AI and quantum computing as shaping the work CISOs will be required to do in upcoming years, furthering the integration of security into business processes and products.
Inductees also say the constantly expanding list of security-related regulations and security-tangent requirements — such as data privacy laws and standards — similarly will expand the CISO’s duties and elevate the role’s criticality and prominence.
They believe, too, that the increasing personal and professional liability that CISOs are facing for any security failures is driving changes in the CISO role.
That liability is landing security chiefs the proverbial seat at the executive table, a place in board meetings, and coverage under corporate directors and officers (D&O) insurance — and will get more CISOs those things in the upcoming years.
It is also increasingly getting CISOs a bigger voice and more authority to mandate security measures.
That, Hayslip says, will get more and more leaders in the CISO position “treated like the executive role it should be.”