How Can CISOs Elevate Their Contribution Within the C-suite?

Businesses manage a series of balancing acts every day—between innovation and reliability, for instance, investment or profit, speed or security. Each leader contributes to how decisions are weighed and made, and traditionally CISOs have been expected to operate at one end of that scale, as the chief protector of the business. 

However, for the last decade, chief information security officers (CISOs) have been gradually adapting their roles as business has become increasingly digitized and data driven. CISOs are no longer limited to back office support functions but have stepped forward to take their place in broader business discussions and decision-making. 

New Netskope data shines a light on this change. Our Bringing Balance report shows that the modern CISO has now found their way out from under the wing of the wider executive team and is ready to help contribute to the business’ objectives, enabling growth and innovation.  

59% of CISOs now see themselves as business enablers, with 67% stating that they want to play an even more active role going forward.

However, the research also found that two in three CISOs (65%) believe that other members of the C-suite still do not see that the CISO role makes innovation possible, and 92% said that conflicting risk appetites is an issue for their C-suite. 

So how can CISOs change C-suite attitudes and help the wider organization to see them as true business enablers?

Link cybersecurity to business goals

Data is the lifeblood of modern business, which means the CISO role is integral to ensuring a business can function. But how do you show value when you are not directly tied to driving revenue? The answer becomes obvious when you flip the question around: how can you drive consistent revenue if the business is hamstrung by uncontrolled risks? 

CISOs need to build relationships with all departments across the organization to understand the priorities of each, and work out how security policies can help deliver against them. This is about managing risk, of course, but it’s also about enablement too. By creating links across silos, CISOs can shift from an entirely defensive role of Protector and become more progressive, proactive and permissive.  The research found that CISOs want to be able to say yes more (66% expressed this desire), and the best way to do this is to think in terms of “Yes – how do we get there?”.   

Build trust in strategy, not tactics 

When speaking with the C-suite or the Board about business objectives, CISOs too often find themselves having very tactical rather than strategic conversations. Zero trust is the latest trend that has gathered traction among non-technical senior stakeholders with 58% of CISOs reporting that their executive teams and boards are asking about zero trust as they look to engage with the organization’s cybersecurity posture. 

This is a great starting point: the majority of CISOs (55%) believe a zero trust approach will enable them to balance conflicting priorities better, and that it will enable their organization to achieve key goals like moving faster (59%) and encouraging innovation (58%). 

However, we need to approach the conversation with caution. To harness the benefits of zero trust and elevate their standing among their C-suite peers, CISOs will need to ensure they are not drawn into conversations purely about technology and practices. The focus should be on business enablement and business risk, rather than specific tools. So embrace the interest in zero trust from non-technical colleagues and map out the opportunities with them  to ensure you are engaging strategically.

The zero trust paradox

There is an inherent contradiction at the heart of both the CISO role and the zero trust model: because they are often about imposing more controls, it can seem counterintuitive to say that zero trust can increase an organization’s flexibility and speed. But in reality, an effective modern CISO allows their peers within business leadership to be bolder, to take risks and innovate, safe in the knowledge that their most valuable asset – data – is appropriately protected. 

Our research makes clear that the CISO role has changed fundamentally, but that the process of changing perceptions at Executive and board level is still a work in progress. CISOs who are able to define and communicate the ways in which they are helping their C-suite peers to acquire new revenues, drive efficiencies, and navigate regulatory requirements will be the ones who are recognized as valuable contributors at the highest levels.