Shifting regulatory and compliance landscapes and the widespread adoption of AI have heightened demand for cybersecurity leaders to step outside the technical, but more responsibility can come with a price.
When George Gerchow was CISO at Sumo Logic, his responsibilities incorporated the kind of work typically assigned to a chief information security officer — no surprise there.
But Gerchow was also vice president of IT and during his tenure also assumed responsibility for real estate, such as decision-making about office locations and designs. Given the variety of responsibilities that had landed on his plate, he referred to his domain as RISC — real estate, security, and compliance.
Gerchow acknowledges that it’s not terribly unusual for a CISO to own the IT function at an organization, but being in charge of corporate real estate is, although he says taking it on made sense at the time.
Gerchow, who worked at Sumo Logic from 2015 through 2024, acquired responsibility for real estate during the COVID pandemic, a spillover from his security and IT work as the company was making remote work and return-to-office decisions in which security was a major factor. To top it all off, he would later add environmental, social, and governance (ESG) duties to his work portfolio.
Although the company had removed real estate and ESG from the CISO role by the time Gerchow left, its initial decision to consolidate disparate duties under the CISO exemplifies a trend within the chief security role. Gerchow’s current position does so, too: He is now both interim CISO and head of trust at MongoDB as well as faculty at IANS Research.
The role of CISO is continuously evolving
The CISO role has been evolving since its creation in the late 20th century alongside technology and internet-enabled threats, morphing to meet the demands of the moment. But the position hasn’t just matured; in many cases it has expanded, taking on additional domains.
“The CISO role has expanded significantly over the years as companies realize that information security has a unique picture of what is going on across the organization,” says Doug Kersten, CISO of software company Appfire.
“Traditionally, CISOs have focused on fundamental security controls and threat mitigation,” he adds. “However, today they are increasingly expected to play a central role in maintaining business resilience and compliance. Many CISOs are now responsible for risk management, business continuity, and disaster recovery as well as overseeing regulatory compliance across various jurisdictions.”
With major paradigm shifts, such as the introduction of AI to the enterprise tech stack across over multiple areas of responsibility, it makes sense to bring in the CISO because of their ability to cross-collaborate, Kersten says. “This shift reflects the growing realization that cybersecurity is not just an IT issue; it’s a fundamental part of operational and strategic business functions.”
Embrace the expansion of responsibilities
Kersten says his “scope of responsibilities as a CISO has broadened to include areas like compliance and governance, vendor risk management, and contributing to overall business continuity planning” as well as the “critical new element of… understanding and addressing the implications of AI technologies.”
Security executives say this expansion of duties further elevates the CISO’s standing within the organization — a welcome development for a position that hasn’t always had equal standing within the C-suite.
“CISOs understand that they are being tasked with safeguarding the risks to their organization. Whether that means real estate or business continuity, we understand we need to own the risk and the security in order to successfully adhere and achieve the organization’s objectives,” says Jimmy Sanders, president of ISSA International, an association for cybersecurity professionals.
“CISOs should embrace the expansion of responsibilities,” he adds. “For years CISOs have tried to ensure that they have a seat at the executive table in terms of being in the executive decision-making group. The expansion of responsibilities is part of the toll to be expected to ensure CISOs are in the room when crucial decisions are made.”
Research is tracking the trend
IANS Research and Artico Search analyzed data collected from more than 830 security leaders for its 2025 State of the CISO Report and found that CISOs are taking on business risk, IT oversight, and digital transformation while retaining traditional infosec domains such as operations, architecture and engineering, digital risk, and compliance.
It also found that a majority of CISOs now have more business risk functions such as business continuity, third-party risk management and product security. And it calculated that 25% to 50% also have functions such as physical security, privacy, and fraud protection in addition to enterprise risk management.
Additionally, research showed that an emerging share (fewer than 25%) is broadening its scope to include artificial intelligence, mergers and acquisitions security, data governance, comprehensive IT oversight, and digital transformation and innovation.
“We’re seeing a convergence of roles under head of security because of the background and problem-solving skills of these people. They have become problem-solver in chief,” says Steve Martano, IANS Research faculty and executive cyber recruiter at Artico Search. That, though, comes with challenges.
“CISOs are already experiencing high levels of stress, with recent data highlighting that nearly one in four CISOs are considering leaving the profession due to stress,” Kersten says. “Many CISOs only stay in the role for two to three years. With this, the expectations placed on CISOs are undeniably growing, and organizations risk overburdening them without sufficient resources and support. The increasing volume and complexity of global regulatory requirements, for instance, have created substantial challenges for security teams that ultimately fall to the CISO.”
A seismic shift in responsibilities
The list of CISO responsibilities has been growing for at least a decade, observers say.
Martano says some CISOs started to see IT come under their purview (after a long history of CISOs reporting to CIOs) with the rise of cloud computing with its embedded security. It’s not particularly uncommon, he says, to see a combined CIO and CISO role — particularly in small-to-midsize businesses.
CISOs then started taking on more business risk and, in some cases, the related areas of governance and compliance, he says.
Sherron Burgess, senior vice president and CISO at BCD Travel, sees CISOs adding data privacy and trust to their workload, too, sometimes adopting the trust officer title to reflect those duties. Burgess says some of her work goes beyond conventional cybersecurity tasks, encompassing elements of regulatory compliance, third-party risk management, and physical security.
“It’s taking my skill set and applying it in new ways,” says Burgess, who also serves as board chair for Cyversity, a nonprofit promoting diversity in the cybersecurity field.
Case in point: She must determine how to most securely deliver documents for clients in sensitive geographic locales, determining whether delivery of documents via motorbike courier is more secure than digital delivery.
Likewise, Richard Watson, global and Asia-Pacific cybersecurity consulting leader at professional services firm EY, says some CISOs also now own resilience, third-party risk management, and risk management assurance. Some have physical security, too, requiring oversight of equipment from fencing to surveillance cameras.
Watson says this shows how “CISOs often inherit stuff that doesn’t have a lot to do with cybersecurity. It ends up with an accumulation of responsibilities, and it can become a hodgepodge.”
Expansive knowledge, experience required
Watson says that the expansion of CISO responsibilities also expands the areas in which CISOs must be knowledgeable.
For example, risk management assurance could require CISOs to understand laws and regulations around sustainability, corruption, and modern-day slavery to assure that their organizations don’t use third parties who engage in problematic practices in those areas, he says.
As a result, he says CISOs now need to be executives with business acumen and industry knowledge as well as crisis leadership skills. They also may need experience or expertise in legal, compliance, procurement, international regulations, and more.
That can be a stretch for many CISOs, particularly those who advanced their careers solely through the technical ranks, Watson and others say.
“The CISO isn’t trained in all these areas and often isn’t capable in all these areas,” Watson adds.
He believes that scenario can put a company on thin ice but also thinks an expanded CISO position can work under the right circumstances.
“I don’t have a problem with a CISO having [multiple] roles, but you need the right person in the role. Put the right person in the role for what the capability has become and/or train the person.”
Marty Barrack’s executive journey models Watson’s points. Barrack is CISO and chief legal and compliance officer at XiFin, a healthcare information technology company. He also oversees the company’s ESG function.
There is no such thing as having too many qualifications
“It really is a modern risk role: contract, operations, use of third parties, the vetting of third parties and subcontractors, it all comes together as control over the risk of the organization,” he says. However, Barrack’s qualifications are unlike those of most other CISOs.
He holds a law degree and an MBA. Prior to joining XiFin, he had worked as a corporate counsel, chief procurement officer, and global privacy officer. He had senior roles at systems integrators and IT services firms. And he had owned his own law firm.
Among other accomplishments, Barrack also holds several security-related certifications, including Certified Information Security Manager (CISM) and Certified In Risk and Information Systems Control (CRISC) — both from ISACA. (He is a member of the ISACA Emerging Trends Working Group.) He also earned the EC-Council’s Certified Chief Information Security Officer (CCISO).
Barrack joined XiFin in 2018 as general counsel “but very quickly security was given to me because I could translate security issues into perspectives that executives and IT understood, and I was able to help us enhance our maturity,” he says, noting that under his direction the company adopted the NIST security framework and earned HITRUST certification for its largest product.
Barrack acknowledges he has an uncommon combination of skills and experiences — and that his role is unusually broad as a result. He says the role will be broken up when he leaves. “I don’t believe one person will step into my shoes,” he adds.
That, he says, speaks to the specific circumstances that brought the multiple functions under his authority.
Others speak to this point, too, saying that how, when and where the CISO role adds extra duties is dependent on the factors facing an organization.
“The CISO’s evolving role and responsibilities seem to vary based on the size, industry, and culture of an organization, and where they are in the ‘maturity arc’ of their core responsibilities,” says Ryan Hammer, adjunct professor with Carnegie Mellon University’s CISO Executive Education as well as vice president and CISO at software and systems company Ciena.
He adds, “Once they have built a team and strong operating culture, defined strategic objectives and success measurements, and consistently demonstrated execution, many CISOs (or their executive leadership teams) identify adjacent areas that could benefit from a similar approach.”
When to accept role creep – and when to say no
But the consensus among security leaders who have experienced that kind of slow expansion of duties or “role creep” is that CISOs and their executive colleagues must be mindful of when it will work and when it won’t.
John Paul (JP) Cunningham, CISO of software company Silverfort, says the position in general has grown over the past few decades from a technical job into an enterprise risk executive role. And while he says many CISOs are well prepared to take on more responsibility, he believes some functions should not fall to the position.
For example, he says the data protection officer “should be a standalone officer,” explaining that the CISO and CDO roles deserve someone who has experience in both areas. “I wouldn’t say no one can do the job, but the pool of people who can is very small,” he says. “And for those who aren’t qualified, you are setting them up to fail or to burn out.”
Cunningham says he once was asked if the chief data officer role should fall to him as CISO. “I made a pretty impassioned defense that it shouldn’t be me,” he says. On the other hand, Cunningham has taken on a security evangelism role, working with external stakeholders and industry peers.
Carl Froggett, who is both CIO and CISO at tech company Deep Instinct, shares similar insights.
He sees the trend of consolidating some functions under the CISO as positive in the way it helps ensure risk and security are consistent throughout the organization. But, like others, Froggett says what and how much extra should go to the CISO depends on the individual’s experiences and skills as well as the organization’s needs in the moment.
Hiring becomes more difficult when the role is too broad
Furthermore, he cautions that expanding the role too much will make hiring harder, noting that already “there aren’t enough qualified people with the experience needed to do the CISO job.”
He also believes there are some tasks the CISO should not take on. “There are some roles CISO shouldn’t do — like audit. Audit should have its independence to question your decision as a CISO,” he says as an example.
Still, Froggett, Cunningham, and others expect the CISO job will continue to expand in scope and require a broader set of skills, experience, and expertise from those filling the roles.
“Organizations are seeing the value in the level of diligence, transparency, and consistency CISOs are bringing to their security programs these days. CISOs are also making connections between their responsibilities and adjacent areas of risk that have the potential to impact the companies they serve, such as supply chain, continuity of operations, and product security,” Hammer says.
“This is pushing us to get more involved and bring perspective and experience to manage risk in these areas. I think it is a positive development in the evolution of the role. Where it makes sense, it can help a CISO inculcate risk-minded decision-making and practices into other areas of the business.”
