CISOs Reshape Their Roles as Business Risk Strategists

The CISO’s traditional mandate—protecting networks and data—has broadened into a full‑scale enterprise risk function. At ThoughtWorks, Nitin Raina’s dual appointment illustrates how security leaders can embed risk conversations across strategy, operations, and compliance. Industry surveys, such as Splunk’s 2026 CISO Report, confirm this trend: a majority of CISOs now co‑own security‑related business risk with CIOs, CTOs, and even CEOs, while a growing share are tasked with AI governance, reflecting the heightened stakes of generative and agentic AI deployments.

Translating technical threats into business language is now a core competency. Executives expect CISOs to quantify risk in monetary terms, often using frameworks like FAIR to model potential loss and return on security investments. This financial framing enables boardrooms to compare cyber risk mitigation against other capital projects, fostering a risk‑aware culture that integrates cybersecurity into overall enterprise decision‑making. Moreover, governance, risk, and compliance (GRC) has risen to the top priority for CISOs, serving as the bridge that earns executive trust and demonstrates continuous, defensible oversight.

The expanded role demands a broader skill set. Beyond deep technical knowledge, modern CISOs must understand market dynamics, regulatory landscapes, and the strategic implications of emerging technologies. They act as advisers, flagging how AI, cloud, and digital initiatives shift an organization’s risk appetite without setting that appetite themselves. By engaging with vendors, peers, and industry forums, they stay ahead of emerging threats and bring actionable insights to boards, positioning the CISO as a proactive business partner rather than a compliance gatekeeper.