The role of the Chief Information Security Officer (CISO) has long been a topic for debate. Almost ever since the role first emerged as organizations saw the need to focus on information security, there has been discussion about the how role could or should evolve.

With information security now more important than ever before, the role of the CISO continues to evolve and gain in importance, with responsibilities extending way beyond the IT department and technical issues to include processes, policy, strategy, regulatory requirements and collaboration with peers, technology developers and government.

The leadership role of the CISO and topics related to this important function were a key focus at the recent KuppingerCole Cybersecurity Leadership Summit (CSLS) in Berlin, where participants in a panel discussion agreed that frequent communication with the board and other business leaders is essential.

Cyber hygiene and the human aspect of security were also key topics at the summit, and for this reason, CISOs need to be far more people-oriented. They need to be good managers of people, and they also need to understand human interactions because often people are initial targets of cyber-attacks. Making people the first line of defense is therefore important, and CISOs need to know how to achieve that goal.

Regardless of whether or not the CISO is a member of the board or reports to the CIO, regular, frank, and clear communications with business leaders is one of the most important capabilities of a CISO today.

This need is driven by the fact that the business needs to support security in real-time, because company stakeholders now value IT security very highly, and because board members are now typically much more tech savvy.

Company leaders are moving beyond traditional governance, risk and compliance considerations; they are asking technically detailed questions and are looking for answers about how well organizations are prepared to adapt to economic and political changes.

As a result, CISOs need to be business leaders because security is increasingly becoming an important element of business strategy. CISOs, therefore, are becoming less involved in day-to-day security, but increasingly playing a role in collaboration across the organization, across the supply chain, and across industry.

The contemporary CISO, therefore, is typically dividing their time equally between three main tasks. First, is leading the technology and operational teams within the organizations who deliver security controls. Second, is thinking about the technology that needs to be adopted and putting in the necessary risk controls around that. Third, is liaising with government, peers, and industry to understand research and evaluate the risks associated with political and economic changes to avoid falling behind.

As ever, the role of the CISO is important, continually evolving and expanding, and increasingly important for organizations to understand and appoint the rights kinds of people with the right skill sets to ensure the business can survive in the face of the latest cyber threats to rapidly changing business IT landscapes.

A CISO has to be able to communicate in a way which can be understood by the respective target group. And I would say that's one of the key capabilities a modern CISO needs to have.

— Berthold Kerl, CEO, KuppingerCole

Because we understand the importance of ­­­­­­­­the role of the CISO, and because we are committed to helping your business succeed, KuppingerCole has a range of related content to choose from.


A good place to start is with the presentations and panel discussions at CSLS 2022, which focused on the role of the CISO, starting with this panel discussion on What Are the Key Attributes of the Next-Gen CISO?

Anticipating that discussion, listen to what our CEO Berthold Kerl had to say on the topic of: What Defines Modern Cybersecurity Leadership.

Returning to CSLS 2022, find out what are the key requirements of a CISO and the types of qualities needed to be successful in this presentation by KuppingerCole’s own CISO and Cybersecurity Practice Director Christopher Schütze, entitled: The Art of Becoming a Multifaceted CISO.

For further insights into proven strategies for making critical cybersecurity decisions and  best practices on effective stakeholder management and communication, have a look at this CSLS presentation on Navigating the Labyrinth of Cyber Leadership.

An extremely popular presentation at CSLS considered the following important question: Misinformation – Disinformation – Malinformation (MDM): The Next Big CISO Challenge? This is a topic that we expect to get more attention in future as organizations seek to expand their knowledge about the associated risks and how to mitigate them.

Other CSLS 2022 content pertaining to cybersecurity leadership or of relevance to CISOs included this CISO panel on Mitigating State Sponsored Attacks in Cyber-Space, this CISO talk on Cloud as a Security Enabler, and this presentation entitled: Five things CISO and CTO’s should consider to fend off modern cyber-attacks.

For some CISO-related or CISO-led content from previous KuppingerCole events have a look at this CISO panel discussion on Securing the Composable Enterprise at EIC in Berlin earlier this year.

For further reflections on the role of the CISO, look at this fireside chat with the then CISO of Twitter on Transforming Security Culture, and this presentation on Looking Back at the Reporting Line of the CISO from last year’s CSLS.

Compare this year’s and last year’s perspectives on the CISO role with those of presentations delivered at CSLS on The Future Role of the CISO in 2020 and a late 2018 presentation entitled: What is the Role of a CISO in 2020?

Other CISO-related content includes this interview on Privileged Access Management from a CISO Perspective and this KC Live presentation entitled: CISOs, Complexity, Containment (and other C-words).

KuppingerCole has interviewed several CISOs to gain their insights on relevant topics. Choose from the list below:


And finally, two 2019 blog posts. The first on the role of a CISO entitled: Redefining the Role of the CISO – Cybersecurity and Business Continuity Management Must Become One  and  the second on what CISOs were focusing on, entitled: Authentication and Education High on CISO Agenda.