Part III: The New CISO – Bridging Security, Business, and Innovation
Introduction
The role of the CISO is undergoing its most significant transformation in decades. What used to be a technical function has now evolved into a key driver of business strategy, financial accountability, and regulatory scrutiny.
Gone are the days when CISOs operated solely behind the scenes—today, security leaders must be business enablers, balancing innovation, risk management, and shareholder trust.
The Wells Notice issued to Tim Brown and SolarWinds signals a fundamental shift in cybersecurity leadership. CISOs may now face direct legal accountability for misreported risk disclosures, reinforcing the importance of executive collaboration, regulatory awareness, and structured risk communication.
Security is no longer just an IT function. It’s central to financial decision-making, corporate reputation, and investor confidence—making it critical for CISOs to build deep relationships across the C-suite to navigate this evolving landscape.
I. The Business Enabler
1. Security as a Growth Driver
CISOs are in the business of revenue protection. Security must align with a company’s value chain, ensuring operational integrity without stifling innovation. Availability matters just as much as confidentiality and integrity, yet too many CISOs focus only on defense rather than enabling business success.
To be effective, CISOs need to:
- Understand how the company makes money and ensure security supports business objectives.
- Align security programs with revenue generation strategies, such as compliance certifications that strengthen market differentiation.
- Help the company move forward strategically while mitigating risks proactively—not just saying no to new technologies, but guiding their secure adoption.
Security operates across several key areas:
- Enterprise Security (protecting corporate systems)
- Application Security (securing internal software)
- Product Security Features (enhancing security for customers)
- Operations (ensuring business continuity)
Each of these areas builds customer trust—a core pillar of sustainable business growth.
2. Real-World Case Study
At one point, we identified an opportunity to reduce costs while simultaneously making an application more secure. The initiative mitigated legacy risks while improving availability. Initially, I focused too heavily on confidentiality and integrity, neglecting availability—a critical mistake that reinforced the need for business-aligned security.
As an engineer by trade, I tend to think like a "solution-eer"—always focused on problem-solving efficiency. However, I’ve learned that getting stakeholder buy-in early is just as important as speed. People need to feel consulted in decisions affecting them. Now, I make sure we’re aligned before charging ahead, ensuring smoother execution.
II. Driving Innovation in Cybersecurity
1. Leveraging Emerging Technologies
Artificial Intelligence (AI), machine learning (ML), and data analytics are game-changers for security. At Zions Bancorp, I observed how Big Data capabilities stemmed from Information Security rather than existing solely within the cyber team.
Utilizing data warehouses, we correlated user actions and behavioral patterns to reduce mean time to containment, improving response times against cyber threats. The ability to train machine learning models to assist in detecting anomalies and fighting adversaries was revolutionary.
Despite a small team, we made huge strides by focusing on automation, data-driven decision-making, and continuous optimization, ensuring that security remained scalable without excessive operational overhead.
2. Security as a Competitive Advantage
Today, Third-Party Risk Management (TPRM) requires businesses to assess who processes their data, how it's handled, and where vulnerabilities might exist. Vendors must answer critical security questions:
- Are they interacting with data at rest, in transit, or during processing?
- Are they using self-hosted, commercial off-the-shelf (COTS), SaaS, or custom-built software?
Compliance efforts—such as SOC 2, ISO 27001, FedRAMP, and CMMC—help tell the story of security diligence, but compliance alone isn’t enough. Asking vendors tough questions—like “What’s the riskiest part of what you do for us?”—helps uncover potential blind spots. Security must be an ongoing dialogue, not a one-time certification.
III. Fostering Cross-Functional Collaboration
1. The Power of Partnerships
Modern CISOs cannot operate in silos. Success depends on cross-functional collaboration with teams like Engineering, Product, Legal, and Finance.
To strengthen executive relationships, CISOs should:
- Engage with leadership networking groups to deepen ties with CFOs, CLOs, and CEOs.
- Leverage past professional connections to gain insights into broader business challenges.
- Lead with solutions, not just risks—offering pathways to secure growth rather than blockers to innovation.
- Join financial and strategic planning discussions, ensuring security is embedded in major business decisions, from product launches to mergers and acquisitions.
How have you personally built executive relationships in past roles? Are there specific networking strategies that have worked well for you?
2. Building a Security-Aware Culture
Security is everyone’s responsibility, but risk management is too. CISOs must teach people to recognize threats in ways that are relevant to their day-to-day operations.
Key strategies include:
- Security champions programs, where developers work alongside security teams to deepen trust and break down barriers.
- Role-based security training—invoice processors should be trained on phishing, while manufacturing floor operators should focus on system access risks.
- Making security seamless, implementing SSO, SAML, SCIM, and Zero Trust Network Access (ZTNA) to reduce friction while protecting against misuse.
Leadership is about mentorship, guidance, and communication. CISOs must not just enforce security but also empower teams to make informed security-conscious decisions.
IV. The Future of the CISO Role
1. Expanded Legal and Financial Accountability
The SolarWinds Wells Notice marks a turning point for CISOs. As regulatory scrutiny increases, security leaders may soon be required to sign off on 8-Ks and 10-Ks, alongside CFOs and General Counsels.
To prepare, CISOs must:
- Ensure they are covered under Director & Officers (D&O) insurance when negotiating contracts.
- Engage in financial and legal discussions early, understanding regulatory reporting requirements.
- Develop strong relationships with CFOs and CLOs, ensuring cybersecurity risks are properly documented in shareholder disclosures.
We, as a profession, must talk to one another and our counterparts in business leadership, making informed decisions about how our roles will evolve.
Do you see CISOs becoming regularly involved in shareholder reporting, or do you believe companies will restructure security leadership to mitigate personal liability risks?
Conclusion
The modern CISO is a business enabler, an innovation leader, and a collaborator driving security beyond technical defense. As businesses continue evolving, security leaders must adapt—embracing innovation while safeguarding trust in an ever-changing digital world.
As legal and financial responsibilities grow, CISOs must prepare for accountability, negotiate protections, and build strong executive relationships to position themselves for success.
The security leadership landscape is shifting rapidly—how are you preparing for the next phase of cybersecurity leadership?
