The Evolving CISO: Navigating New Threats, Data Governance, and AI Challenges

The role of the CISO is evolving rapidly, particularly in relation to the CIO. As businesses face an increasing threat landscape and new regulatory demands, the CISO's responsibilities are expanding well beyond traditional cybersecurity. Understanding where the CISO fits within the organizational structure, how their charter has evolved, and their growing involvement in data governance are crucial considerations. Additionally, with the rise of GenAI, the capabilities and expectations for CISOs are set to transform dramatically, necessitating a reevaluation of their role and strategic priorities.

CISO Reporting

The ideal reporting structure for a CISO varies based on organizational priorities, but the best placements are either directly under the CEO, CIO, or the Chief Risk Officer (CRO). This setup ensures that cybersecurity is treated as a business-critical, risk-oriented function.

While reporting to the CIO is most common, it can sometimes create tensions between security and IT priorities. This is because the CISO should have unimpeded access to other C-suite leaders, especially in highly regulated industries, where the collaboration with the CFO by necessity has grown. Todd Mazza , CTO for FM Global, says, “the CFO is the last place on earth where a CISO needs to be reporting. Regardless, CISO's require great relationships across all CXOs and BOD members.” Yet the recent SEC Materiality Rule pushes CFOs and CISOs closer together in assess risk and sharing strategies for mitigating it.

The relationship between the CISO and CIO is pivotal to the success of both organizations. It requires constant alignment on priorities like roadmaps, toolsets, and incident management. Security should not be seen as a separate layer imposed on IT operations but integrated into every phase of technology development. Without a strong, collaborative CIO-CISO partnership, organizations risk disjointed operations, especially during critical incidents where coordination between security and network operations is key. Former BusinessWeek CIO Isaac Sacolick says, “the bigger challenge is the CIO/CISO relationship, especially around setting roadmap and priorities. You can't have competing roadmaps, operating models, and toolsets. Also, when the business experiences an outage and needs resolution, incident management can't be a NOC vs SOC battle.”?

Ultimately, the organization’s approach to balancing innovation and risk dictates the CISO’s reporting structure. While the CISO’s relationship with the CIO is crucial for operational success, having direct lines to the CEO or CRO ensures that cybersecurity remains a top-level business priority, allowing for better risk management and alignment across all leadership roles. Fractional Manufacturing CIO Joanne Friedman , says given the criticality of cyber-security, I would suggest dotted line reporting to the CIO and direct to the CEO. Honestly, I think it really depends on the industry more than anything else, but overall, I see the CISO needing CEO and board support. Manhattanville College CIO Jim Russell, MPubA agrees and says, “the model I think works best is reporting to the CIO but with a dotted line or un-impeded access to the rest of the C-Suite including the CEO. Ideally the CIO and CISO are partners and regular engagement at all stages of development and planning.”

The CISO Charter

Over the last five years, the CISO's charter has significantly expanded in scope and complexity, say CIOs. Historically, CISOs were more focused on internal security measures, today's CISO must now navigate an increasingly hostile threat landscape, characterized by sophisticated criminal enterprises and nation-state actors. This has pushed the CISO to take a more proactive role in data protection, AI governance, and incident management, especially as GenAI introduces new risks and opportunities. Data ownership, including tracking its provenance and lineage, has become a crucial part of the CISO's responsibilities, requiring closer collaboration between IT and InfoSec teams.

The biggest expansions in the CISO's role revolve around governance of AI, operational technology, and educating users on cybersecurity risks. CISOs must now focus on building literacies around data protection and privacy, not just within their organizations but across their vendor ecosystems and customer bases. Their role has evolved to be business-focused, managing relationships with five key groups: clients, vendors, the C-suite, the board of directors, and regulators. This broader, outward-facing focus highlights the CISO’s critical role in shaping the overall risk strategy of the organization.

Role in Data Governance

Historically, CISOs may have left data security and governance to data teams, but this approach is no longer sufficient given the CISO's responsibility for mitigating the impact of hacks. Russell suggests that, for at least the past 15 years, CISOs have been integral in managing security risks early in the design and planning stages, which helps prevent breaches. Sacolick supports the idea of the CISO focusing on data security, while leaving broader governance to the CDO, depending on the skills and priorities of the leaders. Meanwhile, Friedman argues that if the CISO is accountable for the impact of a hack, they must have the authority to reshape the security charter to better protect the organization.

Gen AI

The rise of Generative AI (GenAI) presents both opportunities and challenges for CISOs. On one hand, it introduces new threats, such as deepfakes and AI-driven attacks, amplifying the complexity of the threat landscape. As Mazza notes, “while GenAI has the potential to make a CISO's team more effective through automation and enhanced tools, in the short term, it may make their job much harder as they scramble to manage evolving risks. The technology’s rapid development means CISOs must constantly adapt, especially as vendors rush to integrate AI into their products—sometimes without fully understanding its implications.”

Russell emphasizes that much of GenAI’s value will come from organizational data, making it crucial for the CISO to be involved early in the planning stages of AI initiatives. This will involve reviewing access, licensing, and ensuring proper user education and safeguards. As Sacolick points out, GenAI also magnifies the challenge of controlling access to sensitive data, particularly unstructured datasets, requiring more sophisticated ways to scan and secure information. Finally, Friedman highlights that while AI-based tools will aid the CISO, their charter may expand to include responsibilities around AI ethics and governance, pushing the role further into the domain of business strategy and risk management.

Parting Words

The role of the Chief Information Security Officer (CISO) has significantly expanded in recent years, particularly in its relationship with the Chief Information Officer (CIO). As cybersecurity threats from sophisticated actors rise and regulatory demands increase, the CISO is now more deeply involved in business strategy, data governance, and AI ethics. The reporting structure for a CISO—whether to the CEO, CIO, or Chief Risk Officer—directly impacts their effectiveness, especially in highly regulated sectors. The CISO must now manage relationships across clients, vendors, the C-suite, and regulators, while ensuring cybersecurity remains a business-critical priority.

Generative AI (GenAI) presents both opportunities and heightened risks for CISOs, expanding their responsibilities in protecting data and managing AI governance. While GenAI can improve automation and incident response, it introduces new challenges in data protection, deepfakes, and AI-driven threats. CISOs must now be more proactive in ensuring AI-related security measures, working closely with other data teams, and helping shape an enterprise’s ethical AI usage. This shifting landscape underscores the need for the CISO to evolve from an internal security role into a strategic business partner.