Forget What the Role Used to Be: 5 New Realities CISOs Need to Navigate

The CISO role has never been more important (or more complex). What was once a technical leadership position is now a balancing act between risk, regulation, resilience, and revenue.

That’s a tall order. And in a recent interview with Brian Glick, Editor-in-Chief of Computer Weekly, Liz Morton, Field CISO at Axonius, offered a candid look at the shifts CISOs must navigate to lead effectively.

Here are five new realities redefining the role.

Watch the full interview or read on for the key takeaways.

1. It's time to be at the table as an equal

Time and again, it’s been proven: if better security measures had been in place, companies would have been better off commercially. It often takes just one breach, one misstep, to expose the true cost of underinvestment and reshape how the board sees its value.

“Trying to not be at the table with the rest of the business leaders, while also kind of working in service to them—that only takes you so far,” Liz explains. “You have to be at the table as an equal. It's less expensive to mount a good hygiene campaign than it is to mount a defense.”

This evolution is pushing CISOs to think more like business leaders and focus on measurable impact. And for many, it’s a welcome change.

2. You can’t always hire your way out of gaps

Every CISO knows the cyber talent shortage is real. But Liz challenges the idea that solving it means just hiring more red teamers or SOC analysts.

“Look at what you have in terms of capabilities already: good cyber hygiene, your resilience plans. Look at how well your operational framework overlays with how you're running your cyber program from an execution perspective.”

And when resources are tight, automation has to step in. Liz’s one piece of advice for CISOs: don’t make your people work harder than your machines.

But scaling effectively also means expanding how we define qualified talent. The strongest teams are blended: made up of engineers, ops pros, compliance experts, and other specialists who bring transferable skills and curiosity to the table. (Before working in cybersecurity, Liz’s career began in architecture and engineering.)

3. Leadership means navigating ambiguity

Ask ten CISOs how their role is structured, and you’ll get ten different answers.

“ Sometimes you'll see a CISO reporting to a CIO. Sometimes they'll be peers," Liz says. "That, to me, is a signal of an organization's dedication to having someone in charge of security because, from a commercial and innovation perspective, it's important.”

This variability isn’t just about org charts. It directly affects how CISOs are positioned. One CISO might be deeply embedded in strategy, and another might be focused purely on controls and compliance. Both are accountable for managing risk, but few are given the same level of visibility, influence, or support.

The role is shaped as much by internal politics and cultural expectations as it is by job descriptions. Navigating that ambiguity, and still delivering, is a leadership skill all its own.

4. Regulations need selling (not just interpreting)

Frameworks like GDPR and the SEC’s cybersecurity disclosure rules are table stakes. Understanding what’s required is one thing. Convincing the business to prioritize and fund the right initiatives is something else entirely.

“That introduces a very common business problem,” Liz notes. “Taking a set of requirements and translating them into a business need, and then translating that need into a way to fund and execute it.”

To succeed, modern CISOs have to build the bridge between regulatory pressure and business outcomes—connecting the dots between compliance, risk, and what actually moves the business forward.

5. Compliance is regional, but risk is global

CISOs in Europe may be navigating some of the world’s most mature regulatory environments, but the pressure they’re under is hardly regional. Threat actors, third-party risks, and cloud misconfigurations don’t care where your office is headquartered.

"It doesn't matter where you physically sit as a CISO. You are dealing with the world and all of its offerings, good and bad," Liz explains. "It all comes down to: What are your resources? Are you able to execute?”

Modern CISOs need to operate on two fronts:

• Translating and executing against regional frameworks

• Building resilient, globally aware programs that span hybrid infrastructure, distributed teams, and international supply chains

There’s no shortage of pressure. Expectations keep piling up (even when headcount and budget don’t). But as the CISO role continues to evolve, so does the opportunity to lead with more impact than ever before.