EVOLVING ROLE OF THE CHIEF SECURITY OFFICER

R&C: How would you describe the key functions of the chief security officer (CSO)? To what extent is this role evolving into a strategic leadership position?

Rosenthal: A chief security officer (CSO) plays a critical leadership role in protecting a company’s data, digital assets and reputation. The role has expanded beyond just technical security to include risk management, legal exposure, regulatory compliance and business enablement. A key function of a CSO is to build an incident response plan. Such a plan requires collaboration across cross-functional teams. The CSO has to be flexible to work with a diverse set of employees across the company to ensure the incident response plan is flexible and workable. More importantly, the executive team needs to be prepared for an incident. It is often the job of the CSO to ensure that executives know when to go to the board of directors should an incident occur, for instance. It is their job to not only implement a plan but help ensure that all the relevant employees know their role, which is often done through training.

Iqbal: Just a few years back, a CSO mostly handled guards and gates. Since then, their role has exploded. Now, the CSO crafts the entire security vision for the company, weaving together physical safety and cyber defences. They own threat intelligence, steer crisis responses across every department and, crucially, translate security risks into clear financial terms. This means proposing resilience budgets and reporting directly to the board. What is driving this shift? A wave of new regulations, like the Securities and Exchange Commission’s (SEC’s) cyber rules, the European Union’s (EU’s) Network and Information Systems Directive 2 (NIS2), the Digital Operational Resilience Act (DORA) and upcoming artificial intelligence (AI) laws, is demanding that someone answer for security outcomes. This scrutiny has lifted the CSO from tactical operations to a true strategic partner. They sit alongside the chief information officer (CIO) and chief risk officer (CRO), directly influencing major moves like mergers, cloud shifts and product rollouts. In essence, security strategy is now business strategy, and the CSO is writing the plan.

Jul-Sep 2025 Issue

Ampersand

Consilium House Consulting WLL

Habib Bank AG Zurich

Oxford University

Turnall Holdings Limited - Zimbabwe