CISOs are taking on ever more responsibilities and functional roles – has it gone too far?

Others speak to this point, too, saying that how, when and where the CISO role adds extra duties is dependent on the factors facing an organization.

“The CISO’s evolving role and responsibilities seem to vary based on the size, industry, and culture of an organization, and where they are in the ‘maturity arc’ of their core responsibilities,” says Ryan Hammer, adjunct professor with Carnegie Mellon University’s CISO Executive Education as well as vice president and CISO at software and systems company Ciena.

He adds, “Once they have built a team and strong operating culture, defined strategic objectives and success measurements, and consistently demonstrated execution, many CISOs (or their executive leadership teams) identify adjacent areas that could benefit from a similar approach.”

When to accept role creep – and when to say no

But the consensus among security leaders who have experienced that kind of slow expansion of duties or “role creep” is that CISOs and their executive colleagues must be mindful of when it will work and when it won’t.

John Paul (JP) Cunningham, CISO of software company Silverfort, says the position in general has grown over the past few decades from a technical job into an enterprise risk executive role. And while he says many CISOs are well prepared to take on more responsibility, he believes some functions should not fall to the position.

For example, he says the data protection officer “should be a standalone officer,” explaining that the CISO and CDO roles deserve someone who has experience in both areas. “I wouldn’t say no one can do the job, but the pool of people who can is very small,” he says. “And for those who aren’t qualified, you are setting them up to fail or to burn out.”

Cunningham says he once was asked if the chief data officer role should fall to him as CISO. “I made a pretty impassioned defense that it shouldn’t be me,” he says. On the other hand, Cunningham has taken on a security evangelism role, working with external stakeholders and industry peers.

Carl Froggett, who is both CIO and CISO at tech company Deep Instinct, shares similar insights.

He sees the trend of consolidating some functions under the CISO as positive in the way it helps ensure risk and security are consistent throughout the organization. But, like others, Froggett says what and how much extra should go to the CISO depends on the individual’s experiences and skills as well as the organization’s needs in the moment.

Hiring becomes more difficult when the role is too broad

Furthermore, he cautions that expanding the role too much will make hiring harder, noting that already “there aren’t enough qualified people with the experience needed to do the CISO job.”

He also believes there are some tasks the CISO should not take on. “There are some roles CISO shouldn’t do — like audit. Audit should have its independence to question your decision as a CISO,” he says as an example.

Still, Froggett, Cunningham, and others expect the CISO job will continue to expand in scope and require a broader set of skills, experience, and expertise from those filling the roles.

“Organizations are seeing the value in the level of diligence, transparency, and consistency CISOs are bringing to their security programs these days. CISOs are also making connections between their responsibilities and adjacent areas of risk that have the potential to impact the companies they serve, such as supply chain, continuity of operations, and product security,” Hammer says.

“This is pushing us to get more involved and bring perspective and experience to manage risk in these areas. I think it is a positive development in the evolution of the role. Where it makes sense, it can help a CISO inculcate risk-minded decision-making and practices into other areas of the business.”