If CISOs want to be more strategic, it’s more than just your reporting line and the number of board slides created. Strategy is the systematic identification, assessment and prioritization of risks aligned to business objectives. Strategy translates uncertainty into deliberate choices. 

 

To be an effective security leader, you need to understand this cold hard truth: Boards don’t care about security. They care about risk. 

 

Leaders at the highest level of an organization are in the Risk Management business. 

 

What has traditionally been a deeply technical function focused on perimeter defense, incident response, and vulnerability remediation is evolving into something far more consequential: an executive mandate to manage and communicate both technology and engineering risk at the enterprise level. 

 

Similar to how the introduction of the Chief Risk Officer (CRO) transformed how financial institutions understood and governed risk, the next generation of trusted and durable SaaS companies will elevate CISOs who operate as risk executives, not security ticket managers. 

 

These CISOs will oversee risk associated with technology and engineering decisions across people, processes, systems, and 3rd party dependencies, and have the fortitude to translate security investments into business outcomes that boards and CEOs understand.

​

A Brief History of the CISO Role

Early Days: Technical Custodian

​

The CISO role emerged in 1996, largely in response to growing connectivity, early cybercrime and high-profile breaches. It was Citigroup that appointed the world’s first CISO in 1995 in response to being hacked out of $10M by a nation state group [2],[3]. Steve Katz was selected due to his deep technical background in early computing and experience working on product lifecycle and quality assurance. 

 

Early CISOs were often senior technologists tasked with protecting infrastructure and data from external threats. 

 

The Compliance Era: Control & Audit Focus

 

As regulations like SOX, PCI-DSS, HIPAA and eventually GDPR emerged, the CISO role expanded to include compliance and audit readiness. Security programs became more formalized, revolving specifically around incident response, but were (and are) still largely reactive. 

 

As the CISO role evolved here, CISOs became control operators with a narrower focus on enterprise security. While policies, tools and attestations were being put in place, the CISO function remained centered on activities rather than outcomes. Risk was implied and assumed, but rarely articulated in business terms. Executive leadership viewed the security role more as insurance, than a business enabler. 

 

The Modern Reality: Technology is the Business

​​

These days, nearly every organization has now become a “technology company”, building products for either in-house or user-facing consumption. In SaaS and cloud-native companies today, technology is no longer a support function. 

 

It is the business. 

 

Engineering velocity, platform reliability, data handling, and third-party integrations directly determine revenue, customer trust, and enterprise value. Despite this shift, many organizations are still stuck in the Compliance Era.

 

CISOs are raring to break out, but are battling against the executive team perspective that security is not a business enabler. These leaders are not helping their cause when they are reporting on and evaluating their business on operational artifacts: vulnerability counts, mean-time-to-remediate, tool coverage, and audit results. 

 

The Chief Risk Officer Parallel: A Useful Blueprint

 

The financial industry faced a similar moment in the mid- to late-1990s. Deregulation, consolidation, the development of new financial instruments and the growth and integration of capital markets were all pulling financial institutions into a broader, ever more complex operating environment [4]. The Basel Accords accelerated the number of individuals assigned to the CRO post. 

 

CROs were not responsible for executing every control or transaction. Their mandate was to:

• Identify and categorize risk

• Quantify exposure

• Align risk appetite with business strategy

• Communicate risk clearly to executives and boards

 

CROs don’t necessarily own the risk inherent in the business, rather they provide the visibility, analysis, and recommendations regarding risk to their operating peers: CEO, CFO, COO. 

 

Businesses made better investment decisions by having a CRO. By centralizing risk management in this way, it enabled financial firms to make decisions based on a better appreciation of the relationship between risk and reward.

 

SaaS companies are now facing an analogous challenge with technology and engineering risk. 

 

Why the CISO Must Become a Technology Risk Executive

 

For the modern CISO, closing vulnerability tickets isn’t the goal of your department. Reducing material risk to the business is. The vulnerability tickets that have become so prolific in our day-to-day operations is simply a means to manage risk.  

 

A backlog of vulnerabilities tells you very little without the context:

 

• Which asset generates revenue?

• Which systems handle regulated or sensitive data?

• Which vulnerabilities meaningfully increase the likelihood or impact of business description?

 

CISOs who operate as risk leaders reframe the conversation from “How many issues do we have” to “Which risks matter most, and why?”

​

​