The Great CISO Expansion When Security Leaders Become Everything Leaders

The Transformation of the CISO Role

The transformation of the Chief Information Security Officer role represents one of the most significant shifts in executive leadership over the past decade. What began as a technical position focused on protecting digital assets has morphed into something approaching a chief risk officer role with cybersecurity expertise. This evolution, while creating new opportunities for security leaders to drive business strategy, also raises fundamental questions about organizational effectiveness, executive sustainability, and risk management.

Mary K. Pratt's recent analysis of CISO role expansion reveals a profession in transition, with security executives taking on responsibilities ranging from business continuity and compliance to real estate management and environmental, social, and governance initiatives. The trend reflects broader organizational recognition that cybersecurity permeates every aspect of modern business operations. However, the implications extend far beyond individual career trajectories to fundamental questions about how organizations structure leadership and manage enterprise risk.

The Strategic Logic Behind CISO Expansion

The rationale for expanding CISO responsibilities appears sound on the surface. Security leaders possess unique organizational visibility, understanding how systems, processes, and risks interconnect across business units. Their experience managing complex, cross-functional challenges positions them well for broader risk management responsibilities. Doug Kersten of Appfire articulates this perspective clearly, noting that CISOs have developed capabilities in cross-collaboration and risk assessment that translate well to adjacent domains.

This expansion also addresses a longstanding challenge within the cybersecurity profession: the struggle for executive recognition and strategic influence. For years, CISOs fought to gain seats at executive tables, often finding themselves relegated to tactical implementation roles rather than strategic planning positions. By taking on broader responsibilities, they demonstrate business acumen and strategic thinking that can elevate their organizational standing.

The timing of this expansion aligns with several macro trends driving organizational complexity. Regulatory environments have become increasingly complex, with data protection, privacy, and industry-specific compliance requirements creating interconnected webs of obligation. The rapid adoption of artificial intelligence across business functions has introduced new categories of risk that span traditional organizational boundaries. Supply chain vulnerabilities have highlighted the interconnected nature of third-party risk management. These developments naturally gravitate toward leaders with holistic risk perspectives.

The Competency Challenge

Yet the expansion raises serious questions about competency and effectiveness. Richard Watson of EY identifies a fundamental challenge: CISOs often inherit responsibilities for which they lack formal training or experience. Risk management assurance, for example, might require understanding of environmental regulations, anti-corruption laws, and modern slavery statutes—domains far removed from traditional cybersecurity education and experience.

This competency gap becomes particularly acute when examining the career trajectories of many CISOs. The profession has traditionally drawn from technical backgrounds, with professionals advancing through roles in network security, incident response, and security architecture. While these experiences develop valuable problem-solving skills, they may not provide adequate preparation for legal compliance, physical security management, or corporate governance responsibilities.

The case of Marty Barrack at XiFin illustrates both the potential and the challenge. Barrack's combination of legal training, MBA education, procurement experience, and security certifications positions him uniquely for his expanded role as CISO and chief legal and compliance officer. However, his acknowledgment that the role will likely be divided when he departs highlights the rarity of such comprehensive qualifications.

Research from PwC's 2024 Global Risk Survey supports these concerns, finding that organizations with consolidated risk functions under single executives show higher rates of control failures compared to those with distributed, specialized risk management structures. The study suggests that while consolidation can improve coordination, it may compromise depth of expertise in critical areas.

The Sustainability Question

The sustainability of expanded CISO roles presents perhaps the most significant concern. Cybersecurity leadership already faces well-documented challenges with stress, burnout, and turnover. Foundry's 2024 State of the CISO Report found that the average tenure in the role has decreased to 2.3 years, with stress cited as a primary factor in departure decisions.

Adding responsibilities for business continuity, third-party risk management, physical security, and compliance oversight to an already demanding role seems likely to exacerbate these pressures. The breadth of knowledge required across multiple domains creates continuous learning demands that may prove unsustainable for many executives.

Moreover, the expansion of CISO responsibilities occurs against a backdrop of increasing cybersecurity threats. The 2024 Verizon Data Breach Investigations Report documented a 68% increase in business email compromises and a 180% increase in attacks targeting vulnerabilities. These trends suggest that core cybersecurity responsibilities are becoming more, not less, demanding.

The hiring implications compound sustainability concerns. Carl Froggett of Deep Instinct notes that expanding role requirements will make recruitment more difficult in a field that already faces talent shortages. The National Institute of Standards and Technology estimates a global cybersecurity workforce gap of 3.5 million positions. Adding requirements for legal, compliance, and business continuity expertise to CISO job descriptions seems likely to narrow the candidate pool further.

Industry and Organizational Variations

The appropriateness of CISO role expansion varies significantly across industries and organizational contexts. In highly regulated sectors like healthcare and financial services, the interconnection between cybersecurity and compliance creates natural synergies for consolidated oversight. Healthcare organizations, for example, must navigate HIPAA privacy requirements, FDA medical device regulations, and state data protection laws—domains that share common risk management principles with cybersecurity.

Conversely, in manufacturing or retail organizations, the connection between cybersecurity and physical security or supply chain management may be less direct. While these functions share risk management principles, they require distinct operational expertise and stakeholder relationships.

Organizational size also influences the viability of expanded CISO roles. Smaller organizations may find consolidation economically necessary, lacking resources to support multiple specialized executive positions. Larger enterprises, however, have greater capacity for specialized roles and may benefit from maintaining distinct leadership for different risk domains.

The maturity of existing cybersecurity programs represents another crucial variable. Organizations with well-established security operations, mature incident response capabilities, and strong security cultures may have CISOs with bandwidth for additional responsibilities. Those still building foundational security capabilities risk compromising core protections by diverting leadership attention to adjacent domains.

Organizational Design Implications

The CISO expansion trend reflects broader questions about optimal organizational design for risk management. Traditional organizational theory suggests that specialization and division of labor enhance efficiency and effectiveness. The movement toward consolidated risk oversight under CISOs challenges this principle, suggesting that coordination benefits may outweigh specialization advantages in certain contexts.

However, organizational research also demonstrates the importance of structural clarity and role definition for executive effectiveness. When roles become too broad or poorly defined, decision-making can slow, accountability can blur, and strategic focus can diffuse. The Harvard Business School's research on executive role clarity finds that leaders with well-defined, appropriately scoped responsibilities consistently outperform those with ambiguous or overly broad mandates.

The independence principle represents another critical consideration. Certain functions, particularly audit and regulatory compliance, require independence from operational leadership to maintain objectivity and credibility. Consolidating these functions under CISOs who also manage security operations may compromise this independence, potentially creating regulatory or governance risks.

A Framework for Decision-Making

Given these considerations, how should organizations approach decisions about CISO role expansion? Several factors should guide these determinations:

• Assess the individual capabilities and interests of existing security leadership. Leaders with diverse educational backgrounds, broad business experience, and demonstrated interest in enterprise risk management may be well-positioned for expanded roles. Those with primarily technical backgrounds or strong preferences for hands-on security work may be less suitable for broader responsibilities.
• Evaluate organizational risk interdependencies. Industries or organizations where cybersecurity, compliance, and operational risks are highly interconnected may benefit from consolidated oversight. Those with distinct risk domains may be better served by specialized leadership.
• Consider resource constraints and organizational maturity. Smaller organizations or those with limited executive resources may find consolidation necessary, while larger, more mature organizations should carefully weigh the benefits of specialization.
• Maintain clear accountability structures and reporting relationships. Expanded roles should come with clear definition of responsibilities, success metrics, and reporting structures to prevent ambiguity and ensure effective governance.
• Plan for succession and sustainability. Organizations should develop bench strength and succession plans that account for the expanded skill sets required, potentially including partnerships with educational institutions or professional development programs.

The Path Forward

The expansion of CISO roles represents both opportunity and risk for organizations. When implemented thoughtfully, with appropriate consideration of individual capabilities and organizational needs, consolidated risk management under security leaders can enhance coordination, improve strategic alignment, and elevate the cybersecurity function's business relevance.

However, organizations must resist the temptation to simply pile additional responsibilities onto security leaders without corresponding support, resources, and consideration of sustainability. The cybersecurity function remains critical to organizational resilience, and compromising its effectiveness through leadership overextension would represent a significant strategic error.

The most successful approaches will likely involve hybrid models that maintain specialization in critical areas while creating coordination mechanisms across related functions. This might involve CISO leadership of risk management councils, matrix reporting relationships for compliance functions, or shared service models for common capabilities like vendor management and business continuity planning.

Ultimately, the evolution of the CISO role reflects the increasing centrality of risk management to business strategy. Organizations that thoughtfully navigate this evolution, balancing coordination benefits with specialization needs, will be best positioned to manage the complex risk landscape facing modern enterprises. Those that simply allow roles to expand without strategic consideration risk compromising both cybersecurity effectiveness and broader risk management capabilities.

The question is not whether CISO roles should expand, but how organizations can structure risk management leadership to maximize effectiveness while maintaining sustainability. The answer will vary by organization, but the importance of getting it right has never been greater.

To explore more about the evolving role of CISOs and their expanding responsibilities, read further on this in-depth analysis on CSO Online.