Rise of the transformational CISO

Rise of the transformational CISO

Frank Kim, SANS Institute Fellow

The stakes have never been higher for CISOs to foster seamless, cross-functional alignment across their C-suite and Board and if not, they can potentially be held liable for it. However, generating collective buy-in amongst stakeholders with varying priorities and business objectives is far easier said than done, says Frank Kim at SANS Institute.

Modern Chief Information Security Officers, CISOs are navigating tough circumstances due to a myriad of complex challenges. CISOs are also dealing with heightened regulatory pressures coupled with corporate politics.

In 2023, the charges against Joseph Sullivan, Uber and Timothy G. Brown, SolarWinds set a new precedent for corporate responsibility on matters of cybersecurity. Both landmark cases exemplified the consequences of inaction on new cyber mandates like the Securities and Exchange Commission, SEC regulations, Biden Administration Executive Order and NIS2 Directive, among other global measures.

The stakes have never been higher for CISOs to foster seamless cross-functional alignment on cyber risk mitigation and compliance across their C-suite and Board. If not, they potentially can be held liable for it. Except as we have encountered time after time, generating collective buy-in amongst stakeholders with varying priorities and business objectives is far easier said than done.

Evolving threat actor tactics, techniques, and procedures, leveraging new next-generation technologies have enhanced the sophistication of traditional cyberattacks – increasing urgency for CISOs to implement resilient cyber defence strategies.

However, an experience shortage driven by understaffing and evolving skill requirements is making that difficult to accomplish. There are more than 4 million unfilled security jobs in the world today, and research indicates that most security professionals believe the skills shortage’s impact has worsened over the past two years.

Burnout is real

This perfect storm of complexity is hindering CISOs’ health, well-being, and career stability. For example, a 2023 CISO stress study conducted by Cynet found that:

  • 94% of CISOs said that they were stressed at work
  • 65% expressed that their stress compromised their ability to protect their organisation
  • 74% left their jobs in 2022 due to work-related stress
  • 77% said that their work stress impacted their physical health

This often translates into burnout that leads to CISO turnover and volatility. While the current CISO turnover rate sits at about 18% YoY, Gartner forecasts that as many as half of security leaders will change jobs by 2025, with about a quarter of them moving to different roles entirely due to work-related stress.

That is an unfortunate reality of our situation at hand, but it does not need to be all doom and gloom moving forward. Light still exists at the end of this tunnel. By adopting a transformational leadership approach, CISOs can take proactive steps to protect their organisation, and themselves from the ripple effects of an accelerating threat landscape.

Connecting cyber and business risk

Modern CISOs must be more than just pure technologists. It is critical to serve as a transformational provider of influence that effectively aligns an organisation’s security needs with other high-priority functions of the enterprise. A transformational CISO is adept at leveraging enterprise risk strategies to articulate the correlation between cyber and business risk in terms that resonate across the organisation.

This allows them to effectively articulate the severe consequences of successful attacks, regulatory non-compliance, and the business benefits of modern security capabilities, in turn justifying the importance of ample security resources, frameworks, and cross-functional collaboration in the eyes of executive stakeholders.

Compounded at scale, securing buy-in across those facets enables CISOs to implement resilient security strategies around high-value assets to safeguard the organisation from major breaches that result in legal liability. It also helps cultivate a culture of security vigilance built on communication and collaboration amongst organisational leaders.

Covering those bases is worth its weight in gold when it comes to reducing anxiety associated with the CISO role. While new obstacles will always exist on the horizon, having robust resources and contingency plans in place helps ensure you can navigate them with agility.

Head coach

The transformational CISO role resembles that of a head coach in sports. Cyber defence is a team sport, and it takes a collective effort to defend an organisation’s attack surface from threats in high volume and velocity. The whole is better than the sum of its parts.

As such, security teams must be positioned with the right people, processes, and technologies that enable them to perform efficiently and minimise friction. When that fails to happen, it falls on the CISO in charge, another driving factor of the stressful conditions we are under today.

CISOs must be vigilant about ensuring their practitioners possess fundamental skills that are aligned to their organisation’s evolving security needs, especially as rapid enterprise digital transformation continues causing companies to adjust operating models on the fly.

For example, during a company-wide transition from hybrid, on-premises, cloud to fully cloud-based deployments, practitioners may need additional training on intricate cloud security concepts or zero-trust principles. This is where scaled cybersecurity certification training partnerships can be leveraged to upskill existing employees and equip them with the foundational knowledge essential to executing their role.

Master of tools

It is important for CISOs to prioritise the implementation of security automation tools and robust security programme frameworks. Streamlining manual workflows via automation, likely to be AI-enabled lessens the burden on understaffed security teams juggling numerous responsibilities, in turn reducing staff-wide burnout that often trickles up to the CISO’s seat.

Meanwhile, the latest version of the National Institute of Standards and Technology’s, NIST Cybersecurity Framework 2.0 is a perfect example of a well-defined programme framework that promotes operational efficiency. It adds a cohesive structure to the organisation’s policies, procedures, processes, and activities so that practitioners and tools operate more effectively, enhancing the performance of the whole end-to-end security architecture.

The challenges of cybersecurity’s evolving threat landscape and regulatory environment call for modern CISOs to transcend the traditional boundaries of their role. Moving with a transformational mindset is critical to weathering the storm.

By embracing this leadership style, they can cultivate a culture of security prioritisation, empower their teams, and foster greater resilience for both their organisation and them.


Formula for transformational CISO leadership

  • Be more than just a pure technologist.
  • As a transformational provider of influence, align an organisation’s security needs with other high-priority functions of the enterprise.
  • Become adept at leveraging enterprise risk strategies to articulate correlation between cyber and business risk that resonates.
  • Articulate severe consequences of successful attacks, regulatory non-compliance, and business benefits of modern security capabilities.
  • Justify importance of ample security resources, frameworks, and cross-functional collaboration in the eyes of executive stakeholders.
  • Securing buy-in across facets enables CISOs to implement resilient security strategies around high-value assets that carry legal liability.
  • Cultivate a culture of security vigilance built on communication and collaboration amongst organisational leaders.
  • New obstacles will always exist on the horizon, but having resources and plans in place helps ensure they can be navigated with agility.
  • Be vigilant about ensuring practitioners possess fundamental skills that are aligned to the organisation’s evolving security needs.
  • Prioritise implementation of security automation tools and robust security programme frameworks.
  • Streamline manual workflows via automation which lessens burden on understaffed security teams, reducing staff-wide burnout.

Browse our latest issue

Intelligent CIO Middle East

View Magazine Archive