As cyberthreats become more sophisticated, the role of the Chief Information Security Officer (CISO) has evolved from a technical expert to a strategic business leader. Today’s CISOs must balance risk management, regulatory compliance and cybersecurity innovation to protect their organisations in an increasingly complex digital landscape. Industry experts discuss how the evolving role of the CISO presents both challenges and opportunities.
David Morimanno, Director of Identity and Access Management Technologies at Xalient
The role of the CISO is evolving to meet an increasingly complex cybersecurity landscape. While technological advancements such as AI and automation present new opportunities for defence, they also introduce novel risks. To ensure comprehensive cybersecurity, CISOs must balance technological innovation with effective human-centric strategies, while addressing the rise of Non-Human Identities (NHIs).
The expansion of digital ecosystems – cloud infrastructures, IoT and interconnected systems – has dramatically broadened the attack surface. Traditional perimeter-based security models are no longer adequate in this landscape. Organisations instead need a zero-trust approach that secures identities, data and behaviour across the organisation. However, threats evolve as technology evolves. AI and Machine Learning (ML) are transforming attacks, making it essential for CISOs to leverage these technologies for proactive defence and threat detection.
NHIs – automated bots, machine accounts and AI-powered systems – add another layer of complexity. As organisations increasingly adopt AI-driven solutions, managing the security of these identities becomes paramount. Left uncontrolled, NHIs can become an entry point for malicious actors. Securing machine identities, managing access and controlling automated actions are essential steps in mitigating potential risks. Effective identity governance for these NHIs must be integrated into security strategies to ensure they are not exploited by attackers.
The human factor continues to present significant risks. Human error, whether through phishing attacks, or weak passwords, remains a leading cause of breaches. Technology alone cannot mitigate these risks; CISOs must focus on fostering a security-conscious culture throughout the organisation. Continuous training, real-time threat awareness and behaviour-driven security strategies must be prioritised to reduce human vulnerabilities.
The human factor also plays a pivotal role in how to leverage AI and automation in security. While these technologies can increase efficiency, they require careful management to ensure that they don’t introduce new risks due to misuse or overreliance on automated processes. Engaging employees and leadership to understand the capabilities and limitations of AI and automation is vital.
The future of cybersecurity in 2025 hinges on the ability to balance technologies like AI with a deep understanding of the human factor and the rising complexities of NHIs. The CISO’s role is to leverage AI and automation to enhance defence, but to also ensure comprehensive control over NHIs, safeguard against human errors, and create a culture where security is ingrained in every employee’s actions. Through this, CISOs can build a resilient security posture that prepares organisations for current and emerging threats.
James Rice, VP of Product Marketing at Protegrity
The role of the Chief Information Security Officer (CISO) is evolving rapidly in response to the growing complexity of both cybersecurity and data challenges. The rise of Generative AI introduces unique risks and vulnerabilities that traditional legacy security models struggle to support. Surrounding or locking down data with more layers of security is not enough.
This shift necessitates embedding AI-specific security capabilities, designed to safeguard unstructured data, ensure robust data-in-motion protection, and provide continuous compliance across a broader set of user interactions to mitigate both legal and operational risks.
The AI- driven workflows, from Retrieval-Augmented Generation (RAG) pipelines to dynamic chatbots are accelerating data interactions at an unprecedented rate. However, this surge in activity exposes critical gaps in security governance and data ownership, heightening risks of breaches and unintended data exposure leaving companies vulnerable to breaches. Traditional security models struggle to rely on unstructured data – documents, images, emails and chat logs – that fuel AI systems, making robust protection strategies more essential than ever.
Unlike conventional data storage models that focus on at-rest data security, AI applications constantly process and transform data in motion. The dynamic nature of this data flow makes it difficult to enforce consistent security controls, creating new attack vectors that require innovative, real-time protection strategies.
As AI models increasingly interact with sensitive business data, legal risks, including intellectual property (IP) infringement, model hallucinations and data leakage, come to the fore. Businesses must ensure that both training datasets and AI-generated outputs are compliant with intellectual property laws, while also safeguarding against the accidental disclosure of sensitive information.
The future of AI security hinges on a data-centric approach. This includes developing solutions that identify, classify, tag, enforce and monitor data – both structured and unstructured – at run time and at rest. Organisations must prioritise and balance data strategies that not only maximise the value of their data but also minimise the risks associated with its use in AI development and deployment.
Also to ensure that AI-driven solutions remain compliant with upcoming AI legal and regulatory standards, as well as existing regional and industry data privacy laws that already govern sensitive data, futureproofing for compliance is essential. A proactive approach that embeds security into the data itself helps organisations avoid reputational damage, financial penalties and operational disruptions caused by inadvertent violations of data protection laws.
This evolving landscape presents both challenges and opportunities. By adopting AI-native security solutions, organisations not only address the new vulnerabilities introduced by Generative AI but also ensure that they are well-positioned to protect their data, customers and brand reputation in the future.
Jonathan Gill, CEO at Panaseer
As the IT, threat and business landscapes evolve, cybersecurity leaders are being forced to adapt. Today’s CISOs have evolved from focusing on technology-related matters to also managing and communicating risk to business leadership.
In the wake of highly publicised attacks – such as the SUNBURST SolarWinds breach – regulators like the SEC are tightening their grip on board accountability. CISOs are under greater scrutiny and pressure to provide stronger assurances on security controls than ever before. Reporting to meet these demands takes up 46% of CISOs’ teams’ time. And 72% believe they could stop more breaches if they spent less time reporting.
Ownership, accountability and responsibility are positives in cybersecurity, but if taken too far they put undue stress on individuals, rather than the collective. The industry must avoid putting a target on one person’s back. After all, 47% of security leaders report feeling more anxious. If this blame game culture continues whilst CISOs are left powerless to provide accurate assurances, many will leave the industry – which 15% have already considered.
While other business units are empowered with specialised tools to enable data-driven insight, CISOs are often left to make do with disparate tools and no single, trusted view. For CISOs to meet compliance, they need a system of record offering a transparent view of every asset within an organisation. With this golden source of truth, CISOs are empowered to provide assurances, report risk in good faith, discover gaps in security, and plug them before incidents take place, protecting themselves and their company.
To adapt to the complex threat landscape, CISOs need to understand cyber risk and communicate it effectively to the business. First comes building that understanding: with visibility over the different cyber tools and controls in place, transparency over where risk exposure is greatest, and centralising this information. Then comes translating into the language of the business, building a culture of accountability for different controls and harnessing a scientific approach to data to prioritise the most urgent and effective action.
With trusted data presented in the right context, businesses can create a culture of collective responsibility so that everyone gets what they want – in this case, a more secure business that is more proactive in addressing threats and reducing risk.
