From security to strategy: the evolving role of the CISO

Why and how CISOs need to adapt in order to thrive in the increasingly digitalised enterprise.

This is a contributed article by Geert van der Linden, Cybersecurity Business Lead at Capgemini Group's Cybersecurity Practice


Chief Information Security Officers (CISOs) have not always enjoyed the best reputation within large enterprises. Historically, information security has been a byword for corporate caution, an inhibitor on innovation and a check on digital transformation. The CISO was seen as leading the "department of no".

Yet, as cybersecurity has become a more pressing concern in recent years, the role and reputation of the CISO have elevated in turn. Recent research from IDC, sponsored by Capgemini, shows that CISOs are riding high in their organisations, and also points the way to further opportunities to enhance their role and influence.

The survey, of over 1,000 large enterprise executives across the globe found that both information security, and the people managing it, are regarded as more important than they were three years ago. Over two-thirds (69%) of non-CISO respondents said information security has increased in importance in that time, while 77% reported that the personal influence of the CISO had improved in parallel. Nine in ten executives surveyed (90%) said the CISO is involved in significant business innovation and change decisions, while over 60% said they attend board and executive management meetings.

The research confirms that executives outside the information security department are more likely to see it as a positive contributor to commercial success than a barrier to progress. Over a third (34%) said they perceived information security primarily as "a driver of competitive advantage or differentiation", with 32% crediting it as "an enabler of business efficiency", compared to just 14% who believe it is "a blocker of innovation", and 9% "a compliance hurdle". Executives surveyed also pointed to the ability to improve products and services, and protect customer interests, as key benefits of effective information security.

In recent years, therefore, CISOs have taken significant strides to expand their influence and improve the reputation of information security: firmly establishing it as a business critical function that is fundamental to competitive advantage.

That provides the foundation for what CISOs should be focusing on next: moving beyond the security silo to play a central role in overall business leadership. When 89% of organisations consider digital transformation as a business priority, there is significant scope for CISOs to play a greater role in driving this forward. From cloud infrastructure to IoT, artificial intelligence and blockchain, key planks of digital transformation depend on effective information security practices.

This is where perceptions continue to lag reality - less than a quarter of business executives see information security as a proactive enabler of digital transformation, and over two-thirds of CISOs agree with them.

If CISOs are to continue the momentum of the last three years, they need to reverse this perception and start setting the agenda for digital transformation. They need to be strategic by outsourcing workflow that creates headroom to focus on new priorities; agile, in seeking out opportunities to remove obsolete technology and harness automation; and proactive, in establishing themselves as a critical part of the team driving transformation within the business - through networking, adding value as thought leaders and evolving their skillsets.

Transformation is happening across every large enterprise: the question for CISOs is how hard they are willing to work to be part of it and influence its progress. CISOs can remain focused on narrow questions of security, or they can build on that base to be leaders of overall business change.

There is an opportunity for CISOs to create a more connected role, one that allows them to become role models for operational change - completing their transformation in reputation from cautious custodians to proactive change-makers. That will require a further pivot that builds on the progress already made.

As more enterprises migrate into the cloud, and ever-larger volumes of data are stored, information security is only going to grow in importance. The question for CISOs is whether they will grasp the opportunity to further elevate their own role and status within the digitally-evolving enterprise.


Geert van der Linden is the Cybersecurity Business Lead at Capgemini Group's Cybersecurity Practice. He has been with Capgemini for over ten years and is based in the Netherlands. Capgemini is global leader in consulting, technology services and digital transformation.