There are growing concerns among chief information security officers (CISOs) about the evolving demands of their role, with 84% advocating for a split into separate technical and business-focused positions.
The Trellix and Vanson Bourne survey of 5,000 CISOs and IT security leaders found that as cybersecurity threats grow more complex and regulatory frameworks expand, there is a growing call for a clearer division of responsibilities to manage both aspects effectively.
The rapid pace of regulatory change was also a significant concern, with 98% of CISOs expressing apprehension about keeping up with evolving cybersecurity regulations.
For 79% of respondents, the time and effort required to stay compliant was deemed unsustainable, suggesting the need for more streamlined approaches to regulatory adherence.
This burden has prompted many CISOs to seek external insights, with 87% agreeing that discussions with industry peers are more valuable than conducting individual research when it comes to understanding regulatory shifts.
The survey found CISOs are also under increasing pressure to maintain clear communication with their organizations’ leadership.
Nearly half of the respondents (49%) reported to the board on a weekly—or even more frequent—basis, underscoring the need for consistent updates on cybersecurity risks and compliance issues.
However, this growing scope of responsibilities is taking its toll, with about half of CISOs surveyed admitting they do not see a long-term future in the role, citing the stress and expanding range of duties that have made the position less sustainable.
Dividing the CISO Role
George Jones, CISO at Critical Start, said he thinks the division between a technically focused CISO and a business-focused BISO could create a more balanced leadership structure, allowing for specialized attention on critical areas.
“The technical role would focus on threat mitigation, incident response, and proactive defense mechanisms, while the business role would ensure cybersecurity aligns with business objectives, compliance, and risk management,” he explained.
This separation could streamline decision-making, as both roles could operate independently without becoming overextended, ultimately improving overall security posture and resilience.
“The challenge, however, lies in ensuring that both roles remain in lockstep, with clear and consistent communication, so their priorities support the same strategic goals and align with the organization’s broader business objectives,” Jones added.
He said balancing the dual responsibilities of managing technical cybersecurity measures and aligning with business objectives requires a combination of strategic delegation, prioritization and effective communication.
“CISOs need to build a strong cybersecurity team with leaders dedicated to key areas such as threat intelligence, incident response and compliance,” he said.
Jones noted delegating day-to-day operations will allow the CISO to focus on bridging the gap between technical requirements and business goals.
“Regular risk assessments and aligning security initiatives with business priorities are essential to addressing advanced threats,” he explained.
To maintain this balance, automation for routine tasks is crucial, cross-functional collaboration is key, and ensuring that cybersecurity frameworks align with key business outcomes is a must.
Putting Risk into Business Context
Jason Fruge, resident CISO at XM Cyber, said board members understand business risk quite well, and governance is the primary aspect of the board members’ role.
“The CISO needs to put cybersecurity risk into a business context and update the board consistently with how other risks are discussed,” he said.
Fruge explained a good practice to make this successful is to work offline with the corporate secretary or someone similarly close to the board to review the best approach for that board.
He recommended CISOs leverage organizations, such as the Digital Directors Network, who can present courses directly to their board on the need to advance cybersecurity governance in the boardroom.
“Also, the CISO should pursue board-level courses and certifications to help bridge the potential gap in the CISO’s understanding of the nature and purpose of the board and corporate governance,” he said.