CISOs in 2025: Evolution of a High-Profile Role

Over the past decade, the chief information security role has evolved from being a supporting position under the CIO or chief risk officer to a core member of the executive team.

Nathan Eddy, Freelance Writer

December 3, 2024

4 Min Read
Evolution of an executive concept.
Chin Leong Teoh via Alamy Stock

As the CISO role expands to encompass more strategic leadership, risk management, and compliance, CISOs are making more integral business-level decisions, reflecting the growing importance of cybersecurity in overall business strategy. 

An October survey from Portnox found CISOs are increasingly buffeted by compliance challenges, gaps in cyber insurance, and are increasingly concerned about job security.  

Heading into 2025, CISOs are expected to engage more deeply with other C-level areas including legal, finance, HR and operations. 

James Scobey, CISO at Keeper Security, says this expanded integration with executive teams and boards has narrowed the pool of candidates who meet market demands for this role. 

“Many firms now find themselves hiring candidates with strong skills in one area while investing in their development across others or building internal pipelines to develop future candidates with the necessary skill sets,” he says.  

Given the demands on their time, Scobey says CISOs will require additional resources to take on technical responsibilities they previously managed firsthand. 

“This will also drive increased investments in areas including cybersecurity, business intelligence and financial performance management to support their expanding role,” he says.  

Related:Tech Company Layoffs: The COVID Tech Bubble Bursts

CISOs and Personal Accountability  

Recent legal actions have heightened concern about personal accountability among CISOs. 

Most notably, in 2023 SolarWinds CISO Timothy G. Brown was charged by the SEC with fraud and internal controls failures related to cybersecurity risks, marking the first time a CISO was targeted individually. 

George Jones, CISO at Critical Start, says via email this may signal a shift toward holding security leaders personally accountable for breaches and associated disclosures. 

“The tightening regulatory landscape is reshaping security leadership,” he says.  

He explains that creating clear legal distinction and delineating job responsibilities could provide CISOs with some protection against liability, such as indemnification clauses and expanded Director & Officer (D&O) insurance. 

“This also emphasizes shared accountability, which alleviates the personal pressure on the CISO while ensuring organizations meet regulatory standards,” Jones says.  

From the perspective of Gareth Lindahl-Wise, CISO at Ontinue, other key accountabilities in business have been through this transition before, noting CEOs, CFOs, GCs, and DPOs have carried specific liabilities for a while. 

“I think both parties will look at whether they are happy with where liabilities sit -- the organization with their CISO and vice versa,” he says. 

Related:Things CIOs and CTOs Need To Do Differently in 2025

He adds it may cause more organizations to move security into more traditionally mature hands such as finance or legal. 

“CISOs have largely always relied on key business partnerships to succeed,” he says. “I think the lean towards personal and organizational liability makes the relationship with the head of legal or general counsel even more important.” 

A closer relationship would allow both parties to properly understand the risks and what appropriate responses look like. 

“In my view, CISOs need to be increasingly capable of understanding legal principles yet recognize when they need to be seeking genuine legal counsel on a matter,” Lindahl-Wise says.  

Integration in Boards, Executive Teams  

A June Bugcrowd report, Inside the Mind of a CISO, found more CISOs are also joining boards to provide better oversight on security strategies, with direct reporting line to the CEO or Board of Directors.  

Jones says this reflects a broader trend to CISOs as strategic advisors impacting business decisions. 

“Many companies and Boards creating cybersecurity subcommittees to better address cyber risk, integrating the CISO into these structures to offer insights on risk resilience, compliance, and cyber insurance strategies,” he explains.  

Related:What to Do When a Key IT Vendor Suddenly Goes Out of Business

Scobey says as cybersecurity has historically been viewed as a technical or support function, CISOs reporting directly to the board has been the exception rather than the norm. 

“However, as cybersecurity increasingly influences business strategy and becomes a key differentiator, we’re seeing a shift,” he explains in an email interview. “CISOs are now expected to liaise more frequently with executive teams and report directly to the board.” 

CISO Salaries Rise, Tenures Fall 

Agnidipta Sarkar, vice president, CISO advisory at ColorTokens, says via email he thinks enterprises will evolve the CISO role next year.  

“I am already seeing an increase in CISO salaries and soon the role will evolve to bring in greater ownership and accountability, to help other CXOs ensure cybersecurity controls are effective within their functions,” he explains.  

He adds he expects shorter CISO tenures, due to the demanding nature of the role. 

“Organizations that support this difficult role through executive support and organizational structures, including liability insurance will see more stability and retention of qualified and competent staff,” Sarkar says.  

Scobey points out that in 2024, CISO attrition was notably high and says it’s still uncertain whether this trend will stabilize as new talent takes on security leadership roles with a clearer understanding of their scope. 

“Organizations should prioritize development and succession plans for CISOs, just as they would for CEOs, CFOs and other senior leaders,” he says. “As cybersecurity becomes more crucial to corporate success, ensuring resilience against CISO turnover has become essential.”   

About the Author

Nathan Eddy

Freelance Writer

Nathan Eddy is a freelance writer for InformationWeek. He has written for Popular Mechanics, Sales & Marketing Management Magazine, FierceMarkets, and CRN, among others. In 2012 he made his first documentary film, The Absent Column. He currently lives in Berlin.

Never Miss a Beat: Get a snapshot of the issues affecting the IT industry straight to your inbox.

You May Also Like


More Insights