CISOs see roles evolve from backroom to the boardroom

May 5, 2025
As digital threats escalate and technology becomes central to business strategy, today’s CISOs are stepping into the spotlight—playing a critical role in risk management, resilience, and growth enablement.

The days when chief information security officers toiled away in backrooms are over. Today’s CISOs are considered strategic business partners. Deloitte research shows a significant increase in CISO involvement in strategic conversations and that more CISOs now report directly to the CEO.  

Organizations rely on technology for strategy, growth, and revenue. System availability and uptime are non-negotiable, yet a rise in digital threats puts companies at constant risk of disruption. Boards demand that CISOs and tech leaders anticipate and proactively manage this growing array of risks to protect the organization’s critical technology. As a result, the CISO role and how these leaders address threats are fundamentally changing.

A New Generation of Digital Risks

CISOs face a wide range of evolving digital risks that make it more challenging than ever to keep the organization and its technology secure and running smoothly.

Technology adoption

Eighty percent of senior executives intend to boost spending on new technologies this year. Companies are strategically adopting AI tools, automation, cloud technology, and other advanced and emerging technologies to increase productivity, streamline operations, improve decision-making, enhance customer experience, and maintain a competitive edge. 

However, every new technology the organization adopts opens the business up to risk. While these new tools deliver many benefits, they also expand the attack surface and create vulnerabilities. New tools can reduce overall system performance and lead to downtime during deployment if not seamlessly integrated with existing systems. 

Advanced cybersecurity threats

Cyber risk now surpasses economic and talent risks as the top concern for organizations. According to Riskonnect’s New Generation of Risk Report, 72% of executives say cyber threats significantly impact their organization. Twenty-four percent of executives specifically cite AI-powered attacks, such as ransomware, phishing, and deepfakes, as their top business risk for the next 12 months. Despite this growing threat, 80% of organizations lack a dedicated strategy to address AI-driven fraud attacks and other generative AI risks, which leaves organizations exposed.

Cybercrime costs companies approximately $10.5 trillion annually. The global average data breach cost is currently estimated at $4.45 million. Ransomware demands average $2 million, plus another $2.75 million in clean-up costs. The consequences of cybercrime go beyond financial losses. A single breach or attack can lead to reputational damage, regulatory scrutiny, and operational disruptions that have lasting effects. Given the business impact of these risks, it stands to reason why CISOs’ influence is growing, and these tech leaders are increasingly seen as strategic business partners.

Cybercrime costs companies approximately $10.5 trillion annually. The global average data breach cost is currently estimated at $4.45 million.

A lack of AI governance

The rapid integration of AI into business operations creates significant challenges in governance and oversight. Only 8% of organizations feel prepared for AI and AI-governance risks, and just 19% have formally trained or briefed their entire organization on generative AI risks.

Inside threats are just as serious as those outside an organization’s four walls. Employees, partners, contractors, and suppliers with system access can compromise security, maliciously or unintentionally, from accidental data exposure from improper handling to deliberate data theft and extortion. There’s also the risk of system failures from employees misusing AI tools or the AI model making unauthorized decisions or changes. The pressure to drive fast value from AI could also lead teams to cut corners on security governance or sidestep the IT function altogether.

Third-party risks

As more vendors embrace AI tools, third-party risk grows exponentially. At least 15% of data breaches involve a third-party or supplier, with some estimates closer to a third or more, and AI further amplifies this risk. Sixty-five percent of organizations lack policies governing AI use among suppliers, which creates critical security gaps. But AI isn’t the only factor. A faulty software update, such as the case with the notorious CrowdStrike incident, or another event at a vendor partner could shut down your critical operations if you don’t have a comprehensive approach in place for digital risk management.

How the CISO Role is Evolving

CISOs used to focus on protecting the company’s information, implementing security measures like firewalls, intrusion detection systems, and data encryption to ward off potential threats. But given the growing reliance on system availability and the array and severity of digital threats to organizations’ systems, IT risk is now a core business risk, and the expectations of the CISO role are that much greater.

CISOs need a deep understanding of the organization’s exposure and resilience to digital risks, not just data breaches and information security issues. They’re expected to: 

  • ·Safeguard the organization’s critical technology and future aspirations from cyber threats.
  • Develop and implement a comprehensive strategy to address cybersecurity, IT risk, resilience, business continuity, compliance, AI, third-party risk, and more.
  • Drive digital resilience and help the business recover quickly from events.
  • Provide insights to the board on the effectiveness of processes and controls.
  • Identify necessary changes to IT, cyber, and AI practices to protect the business.
  • Convey technical information in a way that other leaders and frontline users across the organization understand.

The CISO role is transforming, and so is how these tech leaders manage digital risks that could instantly bring down the company.

Three Ways to Maximize CISO Impact

There are three steps for CISOs to consider as they rise to meet their growing expectations and take ownership over their expanding responsibilities for protecting prized technology and the organization’s future aspirations and viability. 

1.   Shift your mindset beyond ‘detection.’

Intrusion detection systems, security information and event management systems, vulnerabilities scanners, and other tools still certainly have their place. But they’re not the end-all, be-all. Even the most advanced cybersecurity measures can’t eliminate your risk. Risk management approaches must transform as the expectations on CISOs grow and evolve.

Today’s digital risks extend well beyond malware and breaches, including regulatory challenges, third-party vulnerabilities, and operational disruptions. CISOs need a proactive and holistic approach to preventing, managing, and recovering from digital risks. Focusing on detecting vulnerabilities, attacks, and mishaps alone overlooks critical risk sources and exposes organizations.

Today’s digital risks extend well beyond malware and breaches, including regulatory challenges, third-party vulnerabilities, and operational disruptions. CISOs need a proactive and holistic approach to preventing, managing, and recovering from digital risks

2.  Focus on a unified technology risk management strategy.

Gone are the days of inventorying risk, identifying anomalies, and patching vulnerabilities component by component. Today’s attack surface and risk spectrum are too large. Too many assets, systems, business services, users, teams, controls, servers, devices, and regulations exist to manage. Risks are also interconnected and can span across the whole company. The only way to stay on top of it all is with a proactive, comprehensive, and structured approach that coordinates across multiple stakeholders and departments. 

Leading CISOs recognize the sheer scale of digital risks that could harm the business. Managing technology risks means getting insight not just on IT risks and controls but also on third-party risks, compliance, business continuity, resilience, data privacy, and more.

The focus has now shifted from IT risk management to technology risk management. Technology risk management identifies, anticipates, and addresses the broader risks of technology failure to ensure smooth and uninterrupted operations. It combines various risk domains and the strategies, processes, systems, finances, and people to manage risks across the entire organization, including cyberattacks, ransomware demands, data breaches, service outages, equipment breakdowns, human error, and more.

A unified strategy also requires close collaboration with executive leadership, IT teams, business units, and external partners to foster a culture of resilience and shared responsibility.

3.   Get a holistic view of digital risks.

CISOs need to know where the organization’s digital risks lie, what they mean, how they link to business strategy, and what to do about them. Start by identifying the organization’s technology assets and partners. Inventory all networks, devices, infrastructure, software, data, processes, and people. This includes developers, users, tech staff, and others who operate the technology.

Then, assess the risks. Evaluate the organization’s digital infrastructure, systems, processes, vulnerabilities, and existing controls. Determine the risks' likelihood and potential impact from internal and external sources. 

Some risks are essential to avoid because they aren’t worth the potential damage. Others might be worth accepting, such as risks associated with new technology. There could also be risks that are best transferred to another party, usually through insurance or outsourcing. Regularly reassess these risks and response plans and adjust plans as necessary. Stay ahead of these and other emerging risks by continuously monitoring the digital threat landscape and planning for various scenarios. 

A Spotlight on CISOs

It’s an exciting time for CISOs. Digital transformation is accelerating across industries, and their role rapidly expands to address the growing challenges of operating a business in the digital age.  CISOs hold the keys to ensuring the business can confidently embrace new technology without compromising security or stability.

About the Author

Jim Wetekamp | CEO of Riskonnect

Jim Wetekamp is the CEO of Riskonnect, a leading integrated risk management software provider. He is a recognized expert on insurable, enterprise, and resilience risk. Jim has over 25 years of experience in the software industry, including leadership roles at BravoSolution, Atlas Commerce, and IBM.

Jim began their career at IBM in 1996, where they spent four years as a team lead in the IGS WW Finance organization. In 2000, they joined Atlas Commerce as director of product management, where they helped the company launch its first product.

In January 2002, Jim joined Verticalnet as the consulting and solution strategy vice president. Jim played a pivotal role in the company’s growth and eventual sale to an Accel-KKR portfolio company.

In January 2008, Jim became CEO of BravoSolution, an industry-leading cloud procurement technology solution provider. Under their leadership, BravoSolution grew rapidly and was successfully sold to an Accel-KKR portfolio company. BravoSolution supports over 650 companies and 130,000 users in 87 countries in digitalizing the end-to-end procurement process. It offers robust cloud-based procurement solutions to fit the needs of today’s leading procurement organizations.