In addition to traditional information security responsibilities, such as security operations, security engineering, GRC, and application security, many CISOs now oversee business risk functions, including risk and compliance, third-party risk management, disaster recovery, and product security. “Nearly 30% also have ownership over parts of the IT stack, including IT compliance, IT operations, or networking,” the survey of 662 CISOs found.
Cybersecurity consultant Brian Levine, a former federal prosecutor who serves as executive director of FormerGov, says CISOs can’t be expected to handle everything that touches cybersecurity that no one else wants.
“Enterprise CISOs aren’t just burned out; they’re boxed in. The title keeps rising, but the influence doesn’t always follow,” Levine says. “The modern CISO isn’t just running a security program anymore. They are running a geopolitical, regulatory, and enterprise‑wide risk portfolio. The scope has exploded so fast that the role is outpacing what any one person can reasonably own.”