The CISO’s journey: From cyber guardian to strategic business leader

Welcome reader to a 🔒 pro subscriber-only deep dive 🔒.

Brought to you by:

👉 Cypago - Cyber governance, risk management, and continuous control monitoring in a single platform

Forwarded this email? Join 70,000 weekly readers by signing up now.

#OpenToWork? Try our AI Resume Builder to boost your chances of getting hired!

—

Get lifetime access to our deep dives, weekly cyber intel podcast report, premium content, AI Resume Builder, and more — all for just $799. Corporate plans are now available too.

Executive Summary

Chief Information Security Officers (CISOs) are evolving from technical specialists to strategic business leaders. This transformation requires developing new competencies that enable organizational influence during both routine operations and critical moments of crisis or business transformation.

Based on Fortune 500 CISO practices and academic studies, this document provides a framework for security executives seeking to elevate their strategic impact. It explores the CISO role evolution, examines leadership frameworks, and offers practical guidance on board engagement, communication strategies, crisis management, and leading organizational transformation.

The Evolving CISO Landscape

The CISO role has transformed dramatically in recent years. Once viewed primarily as technical guardians, today's CISOs are expected to function as strategic business leaders influencing high-level decision-making, particularly during crises and transformations.

Recent studies confirm this trend: approximately one-third of organizations report a significant increase in CISOs participating in strategic discussions, and 20% of CISOs now report directly to the CEO (Deloitte, 2024). Boards and CEOs increasingly view CISOs as key advisors on risk and resilience, not just IT security operators.

This evolution requires developing leadership competencies beyond technical excellence. Research identifies six core competencies essential for effectiveness:

1. Strategic Thinking - Aligning security with business goals and assessing long-term risks

2. Communication - Simplifying complex technical issues for non-technical stakeholders

3. Leadership - Driving employee engagement, change management, and cultural transformation

4. Technical Expertise - Maintaining cybersecurity knowledge that informs strategic decisions

5. Relationship Building - Building credibility through cross-functional collaboration

6. Adaptability - Developing agile responses for both routine operations and crises

Leadership Frameworks for Strategic CISOs

From Technologist to Strategist

Historically, many CISOs emerged from technical backgrounds and operated primarily as tactical experts. Technical skill alone, however, is increasingly insufficient.

Research shows that while technical expertise remains essential, CISOs must cultivate broader leadership competencies – influence, communication, team-building, and cross-functional management. Successful CISOs now bridge cybersecurity with business strategy, working between IT and the broader enterprise to embed security into organizational culture and decision-making.

Strategic Leadership Models

Several frameworks help conceptualize the CISO's leadership journey. One model outlines six key mindsets of exceptional CISOs:

1. Strategic Thinking - Looking beyond immediate threats to anticipate future security needs

2. Risk Management - Developing a holistic view of organizational risk

3. Lifelong Learning - Continuously expanding both technical and business knowledge

4. Effective Communication - Translating complex security concepts for different stakeholders

5. Ethical Decision-Making - Balancing security imperatives with organizational values

6. Flexibility - Adapting strategies as both the security landscape and business environment evolve

Another valuable framework is the Cybersecurity Assessment Level Model (CALM), which evaluates CISO leadership maturity:

• Level 1.0 (Technical Operator): Treats cyber risk as an IT problem, with limited board engagement

• Level 2.0 (Functional Leader): Manages security as a dedicated function, aligning with business objectives

• Level 3.0 (Strategic Business Partner): Positions cybersecurity as a business enabler, regularly engaging with the board

• Level 4.0 (Transformational Business Leader): Becomes integral to the organization's DNA, involved in critical business decisions

Fortune 500 firms typically aim for Level 3 or 4 CISOs – executives who are comfortable at the board level, highly influential, and able to make cybersecurity a pillar of business strategy.

The "Transformational CISO" Archetype

The transformational CISO focuses on strategic risk management and business outcomes. Industry research describes these leaders as executives who possess deep cyber expertise but "elevate their focus" to enterprise-wide risk, working closely with C-suite peers and aligning security with corporate goals.

These CISOs build strong relationships and credibility, often reporting directly to the CEO rather than through IT silos. This positioning enables them to influence strategy and budget decisions as peers of other executives.

Crucially, transformational CISOs serve as translators between technical teams and business leadership. In contrast, security leaders who remain purely technical often struggle to gain legitimacy at the executive level.

Real-World Case Examples: CISOs as Strategic Leaders

PepsiCo: Balancing Security and Business Imperatives

Sara Andrews, former CISO of PepsiCo, emphasized the importance of balancing cybersecurity with business realities: “We forget we do run businesses… you have to make those tradeoffs and decisions.” She consistently advocated for cybersecurity to be integrated into all business decisions as a fundamental part of enterprise risk management.

Her approach showcased how a Fortune 50 security leader had to think like a business executive—enabling operations securely rather than automatically opposing every risk. During her tenure, PepsiCo’s security program was closely aligned with business strategy, with security actively involved in strategic discussions about new products and digital initiatives.

Texas Children's Hospital: Contextualizing Security for the Board

Teresa Tonthat, CISO of Texas Children's Hospital, demonstrates strategic influence through effective communication. Recognizing that board members needed context to understand cybersecurity implications, she "brings relevant highlights of what's going on in the media" to board meetings.

By discussing high-profile breaches at peer institutions, Tonthat connects cybersecurity to the hospital's risk posture and patient safety concerns. "They really like to hear what's happening around other healthcare institutions," she notes, as it makes abstract threats concrete for the board.

This approach has earned strong support – board members routinely ask, "Do you need anything, Teresa?", indicating trust and readiness to back security initiatives.

Board Representation and Crisis Leadership

Leading companies are increasingly embedding cybersecurity expertise in governance structures. By 2025, approximately 35% of Fortune 500 companies are expected to have board members with cybersecurity experience, often former CISOs or security executives.

Crisis scenarios have also elevated CISOs into strategic prominence. Following major incidents like the 2017 WannaCry/NotPetya attacks and the COVID-19 pandemic, many organizations recognized that their survival depended on swift, business-focused security leadership. One Fortune 100 manufacturing company credited its CISO with navigating a ransomware crisis by communicating clearly and presenting actionable choices to the CEO at each stage.

Board-Level Engagement and Influence

Having a "seat at the table" with the board and C-suite is essential for effective CISOs. Achieving that position requires deliberate tactics for engagement and influence.

Establishing Direct Reporting Lines

Organizational structure can either elevate or constrain a CISO's influence. An increasing number of companies are repositioning the CISO outside the CIO's domain; approximately 20% of CISOs now report directly to the CEO. This restructuring signals that cybersecurity is a business risk management function, not just an IT concern.

Even without direct CEO reporting, CISOs can build strong informal communication channels to board members through regular briefings or participation in enterprise risk committees.

Communicating in the Board's Language

Effective CISOs translate technical findings into financial and strategic terms that boards understand. Nearly 49% of CISOs now report to their boards at least weekly, which "presents a new skill to master: the art of communication."

Rather than overwhelming directors with technical metrics, successful CISOs focus on business impact through questions like:

• "What is the potential financial loss if we don't act?"

• "How does our cyber risk compare to industry peers?"

• "What is the risk-adjusted return on this security investment?"

Board members typically excel in business, finance, and oversight – they respond to data framed as ROI, risk appetite, and strategic outcomes. By elevating conversations beyond technical details, CISOs gain credibility as business-savvy executives.

Being Brief and Focused

Time with the board is precious. CISOs should ensure their presentations are concise and high-impact, starting with a high-level overview and resisting the urge to dive into technical details.

In practice, this might mean highlighting three top risks or recent incidents and their business implications, rather than presenting an exhaustive threat landscape report. Board members appreciate brevity and clarity, which demonstrates the CISO's strategic focus.

Finding a Board Ally

Experienced CISOs often cultivate relationships with at least one board director who has interest or background in cybersecurity. This ally can champion security concerns during board discussions and help translate between technical and non-technical directors.

Many boards now designate a member with cybersecurity expertise; CISOs should leverage that person as a sounding board and supporter.

Subscribe to CybersecurityHQ Newsletter to unlock the rest.