Security executives such as CISOs have seen their roles evolve rapidly over the past few years as cybersecurity rises to the forefront of board and C-suite concerns. Increasingly, business leaders are turning to their security professionals for answers. But they don’t want to hear the arcane details around firewalls and endpoint security measures. They want to help make strategic decisions about new products, markets, and operational improvements without taking on unacceptable levels of risk.

As a security executive, are you ready to take on a more expansive, prominent, and strategic role in your organization?

Cyberattacks are not only becoming more common but also more costly.

69% of companies across industries and geographies report an increase in threats.1

$1.79 million average ransom payment in 2021 an increase of 63% over the previous year.2

Here are seven steps you can take to prepare:

  1. Expand your knowledge and skills.

    Your role is expanding and becoming more prominent and consultative. For that reason, you must now understand the business so you can advise functional and corporate leaders about the implications of strategic decisions. Cultivate inside and outside resources, both casual and formal, to learn everything you can about the business, the industry, and the broader environment in which it operates.

  2. Know what questions to expect from the C-suite and board.

    Be prepared for tough questions from business leaders around cybersecurity risks. To answer them, it helps to understand the question behind the question. For example, a board member might ask, “Are we 100% secure?” This question revolves around the tradeoff between acceptable risk and “total” security. Help them understand that security must be balanced against operational efficiency. Take this example: “If I took your phone away, it would be completely secure, but you couldn’t get any work done.” The better question is: “What steps can we take to reduce risk without compromising our ability to operate effectively and continue to innovate?”

  3. Build new relationships.

    The best way to get to know the security requirements across the organization is to ask LOB and functional leaders. Practice the art of listening. Start with the CEO to understand where the organization is and what its goals are. You’ll also need their support for security- and risk-related initiatives. But don’t stop there. The CRO can bring you up to speed on products and markets. The CMO will be interested in leveraging customer data without falling out of compliance with privacy regulations.

  4. Ask the right questions to understand strategic goals and risk appetite.

    Here’s how to build those relationships and gather the information you’ll need for this step. Ask LOB and functional leaders these questions:

    • What are you really trying to accomplish? What are we trying to keep safe?
    • How do we assess the risk in current or future business practices?
    • How do we know what areas of the business are impacting our risk posture the most?
    • If a control fails and increases residual risk, how will we know?
  5. Plan to participate earlier in the decision-making process.

    This is in many ways the most important change in your role, and the one you’ve been preparing for in the previous steps. To do your job effectively, you must take a seat at the table during strategic decision-making to transition from nay-sayer to enabler. Your new role is to enable strategic initiatives by managing risk from the start rather than hindering it downstream. Think of it as setting a speed limit for the organization so it can reach its destination safely, rather than throwing up a roadblock.

  6. Expand your team.

    Resources are always tight, but security budgets are growing. If you have the means to grow your team, KPMG identified several new roles to consider, including:

    • Resilience strategist
    • Cyber risk modeler
    • Orchestration manager
    • Behavioral analyst
    • Attack simulator
    • Ecosystem security architect
    • AI overseer
  7. Leverage technology platforms and automation.

    The right technology can help you overcome the talent shortage that many IT teams are facing these days, and also frees up resources for the more strategic work you should now be focusing on. Look for solutions that break down data silos to provide high-level visibility and analytics around the organization’s compliance, risk, and security posture. These tools should also make it easy to report to your peers as well as the CEO and board – or even provide them with interactive drill-down risk dashboards tailored to their needs.

Building a risk management program requires new skill sets for many CISOs, as well as a more prominent role. These steps are just the beginning of your journey. Want to learn more? Our latest eBook, The Changing Role of the Security Executive, is a deep dive into the ways that security professionals must adapt to wider responsibility and more prominent leadership. Download the eBook.

1Deloitte Future of Cyber survey | Global

2A Ransomware Outlook for 2022 – Infosecurity Magazine (