Has the CISO finally been accepted as a key strategic player?
Years of advocacy, the rise of generative AI, and elevated cyberthreats may have contributed to a surge in chief information security officers’ strategic involvement in business-critical technology conversations
Cybersecurity is increasingly recognized as a critical, board-level issue. Therefore, it follows that in many organizations, chief information security officers (CISOs) should be involved in strategic business decision-making. This recommendation has been mainstreamed since at least the mid-2010s.1 A quick internet search on the topic, however, suggests that experts are still making the case that the role of the CISO should evolve from defense- to growth-oriented—that CISOs should play a critical role in all business decisions that involve technology. After nearly a decade of advocacy, however, 2024 may have been the year that many businesses made a big leap toward taking this advice.
Learn more
Deloitte conducted its latest Future of Cyber Survey in June and July of 2024, polling 1,200 cyber decision-makers in 43 countries across six industries. Seventy-three percent of respondents indicated that, over the prior 12 months, strategic CISO involvement in strategy conversations about key technologies had increased or significantly increased at their organizations.
Why such a big increase in 2024? It’s impossible to know for sure, but according to Diana Kearns-Manolatos, technology research leader with Deloitte’s Center for Integrated Research and lead researcher on the Future of Cyber report, it could be a function of steady evolution meeting a moment of heightened opportunity and risk.
The evolution of the growth-oriented CISO has been gradual, likely influenced by various factors such as board-level involvement in scenario planning and risk management, the pandemic’s emphasis on organizational resilience, and the increasing fusion of technology and business operations that were also amplified by the pandemic.
As a result, the CISO has become a unique hybrid role, according to Kearns-Manolatos, encompassing cyber risk, cybersecurity, and resilience management. This multifaceted role has led to diverse career paths, allowing both tech and business professionals to transition into CISO positions. Furthermore, the growing (and critical) interdependence of business and technology has highlighted the importance of folding security into strategic investment decisions, further helping to solidify the CISO’s strategic role. “We’re seeing more CISOs elevated to the role of chief security officer, with far more executive responsibility,” observed Ian Blatchford, Asia Pacific cyber leader at Deloitte Australia.
When it comes to opportunities that may be driving the CISO’s rise, generative AI is widely recognized as a factor. Over the past 12-plus months, there’s been a broad push to maximize its potential value across most organizations.2 As they transition from gen AI proofs of concept to full-scale implementations, organizations may have elevated security’s strategic importance recently, as the safety of the data powering generative AI is vital to its overall success and sustainability.3
The growing threat of AI-driven deepfake attacks and high-profile incidents affecting airports may have increased awareness of cybersecurity risks.4 Escalating geopolitical tensions have further contributed to a rise in cyberattacks across industries and government organizations, emphasizing the need for proactive defense strategies.5 According to Kearns-Manolatos, these events underscore the interconnected nature of cyber and business priorities like customer experience.
Regardless of why this shift has occurred, the good news is that a significant break toward growth-oriented CISOs could drive greater cyber maturity (defined in the survey as robust cybersecurity planning, key cybersecurity activities, effective board management, and the deployment of AI within the cyber program). According to the Global Future of Cyber survey, cyber-mature organizations anticipate twice the positive outcomes as their less mature peers (figure 2).
In their client work, corporate strategy senior manager Dick van Veldhuizen, and cyber security manager, Karel de Zoete at Deloitte Netherlands have observed this phenomenon firsthand. “We’ve seen that CISOs are increasingly successful when positioned as value drivers for the business,” according to van Veldhuizen. “When cyber is recognized as a strategic asset, it can enable revenue growth, protect future revenue streams, drive cost efficiencies, and even create sustainable competitive advantage.”
“We’re seeing this translate into elevated cyber discussions at the C-suite level,” adds De Zoete, who leads strategy-oriented cyber initiatives with clients. “This value-based positioning has been particularly effective in connecting CISOs more closely with business functions.”
The position of CISO has evolved significantly over the past decade. The once defense-oriented role has become growth-oriented. The data shows that, as of 2024, most CISOs now actively contribute their expertise to business decisions involving technology, leading to a more cohesive approach to IT, and potentially more positive business outcomes.
