I’ve also spent a lot of time thinking about what it means to develop and build the next generation of security leaders. One of the things I’m seeing quite a lot is the CISO role going in many different directions. At many organizations, the CISO is in effect or actually becoming the chief technology officer, where CISOs are trying to push harder and harder for their organization to upgrade and enhance their technology.
In many cases, leadership and the boards are giving them the CTO responsibility, or the CISO is forming an ever closer partnership with the CTO or the head of infrastructure to massively upgrade their technology to be more inherently secure and defendable.
I think that’s good progress.
Alicja Cade: How is AI changing the role of the CISO?
Phil Venables: Boards of directors want to know if what their company is doing with AI is safe and compliant, is it respecting privacy and all the trust and safety boundaries — and they’re turning to the CISO to talk about that.
Now, that’s not all organizations. There are many large financial organizations that have got quite mature compliance and risk functions that are picking up their weight. But other organizations typically, especially those not necessarily in the historically very tightly regulated industries, the CISO is becoming almost like the chief digital risk officer. The CISO is being tasked with worrying about all of these other technology risks that are coming out as a result of AI.
AI’s not the only reason, but we’re certainly seeing an evolution of the CISO role to be something what you might call kind of CISO version two, a much more evolved role.
David Homovich: This leveling-up of the CISO is not exactly new, but the circumstances that are driving it have been changed by the AI era. How do you describe the current iteration of CISO 2.0?
Phil Venables: The CISO is absolutely, undeniably becoming a peer business executive alongside all the other executives. How you secure and defend what most of our businesses are, as digital businesses, is becoming so critical that the CISO has to evolve.
The version two CISO mindset is really all about being business first. While we’ve talked about this for years, in many cases CISOs have been catching up with where the business wants to go and not leading the business where it needs to be. There are three pillars to CISO 2.0:
- CISOs should realize they’re peer business executives. They don’t just follow business initiatives to make sure they’re secure, but lead and educate the business on what opportunities may come about from the results of doing digitization in safe and secure ways.
- CISOs need to be a peer technology leader and have technical empathy. While the most successful CISOs are not primarily engineering leaders, they certainly have to be technically deep — or at least have an appreciation of technology and be able to work at a detailed level with the technology and engineering leaders and officers. CISOs should be able to suggest ways of engineering technology to help the organization create more secure by default, secure by design implementations.
- CISOs need to be long-term players. We all know many of the security activities and risk mitigation activities that we have to drive are things that just take years — even though we wish they would take quarters. This may be a little bit of selection bias, but the most successful CISOs are ones who manage to stay around for the longest time to see the results and drive the results of their change.
I’m not oblivious to the fact that there’s some organizations where people just have to go because they see the writing on the wall, that there’s no way they can have as much effect. But we also have to be honest with ourselves. There’s also plenty of cases where security leaders decide to go get the next job at the first point of resistance, as opposed to pushing through and realizing more long-term success.
Alicja Cade: How do CISOs engage in a way that can build that long-term success?
Phil Venables: When you look at the overall CISO 2.0 strategy, it’s all about actually having a strategy. CISOs should really be brutal with themselves when they look at their strategy, and ask if their strategy is actually a strategy — or just a long-term plan that just has the word strategy written on the front.
Strategy is a theory of how to win for your organization, and it’s distinct from plans. The plans come from the strategy, but strategy could be, for example, how we want the business to be able to pull help from the security team.
That’s a deliberate strategy that amplifies the engagement of the business. Then you plan, you go do things that are necessary, to create that pull.
Another example is that a big part of the strategy is encouraging transparency and accountability for risk, so that you get more self-correction in the environment. Then you’ve got to go do things to implement that strategy.
David Homovich: The relationship between CISOs and their board of directors can often feel lacking. Can you talk about why boards and CISOs should be more important to each other?
Phil Venables: We talk a lot about interactions with boards and with the board and what the board expects. One of the great common patterns of some of the best security organizations is they just aren’t good at interacting with the board. They haven’t given the board the right metrics, or they just don’t figure out how to educate new board members.
It’s under the control of the CISO and the wider leadership team to educate the board, to build relationships with board members and equip the board with how to be an effective overseer of what the CISO needs to do. The good news is that when you actually speak to board members, they’re eager to be educated. They want to be better board members to oversee security.
CISOs can influence board members, and boards can help influence business leaders. An example of this is when organizations more consciously use their buying power to drive the right behaviors in suppliers. Take a supplier that tells a customer that they’re the only company asking for a necessary security improvement that should be there by default, whereas in reality the supplier just wants to charge everybody for it.
It only takes a few companies of reasonable scale to actually call out the CEO of those companies to start triggering better behavior. It’s important that we think about all of our roles in the security and business community more broadly.
To stay on top of CISO Community events in 2026, sign up now.
Source Credit: https://cloud.google.com/blog/products/identity-security/cloud-ciso-perspectives-phil-venables-on-ciso-2-0-and-the-ciso-factory/
