Recommendations for CISOs and top leadership2 A CISO’s relationship with the C-suite and board is critical to positioning cybersecurity as a powerful enabler of business growth and resilience. The role of the CISO is increasingly seen as a launchpad for broader executive leadership. While some CISOs may remain in the role long- term, others are transitioning into positions such as chief security officer (CSO) or chief risk officer (CRO), with expanded mandates covering physical security, enterprise risk, operational resilience and organizational trust. This evolution is in response to an expanding and converging risk landscape. CISOs are uniquely equipped to navigate complex, ambiguous threats, from misinformation and geopolitical disruptions to infrastructural failures, even when these risks fall outside traditional cybersecurity domains. Their expertise in systemic risk management often positions them as key figures in crisis response and organizational resilience.At the same time, the CISO’s role in evaluating and securing emerging technologies is becoming more critical. As innovations such as generative AI and quantum computing get embedded into core operations, CISOs must anticipate new threat models, ensure responsible deployment and align security controls with business innovation goals. As a result, CISOs’ scope often starts to assume broader responsibility within the organization for enterprise security, trust and resilience. In addition to supporting the board on regulatory compliance, they must pragmatically deliver on improving the organization’s (cyber) resilience. Their role allows them to integrate the cyber, operational and reputational risk perspectives, which can participate in shaping executive strategy and long- term value creation.2.1 The evolving responsibilities of the CISO The primary mission of the CISO is to ensure that the organization delivers to its stakeholders the products and services that are core to the purpose of that business. To meet that mission, the CISO’s primary job therefore is to protect the business. This is not easy. As this white paper points out, the digital infrastructure underpinning any given organization is, in reality, a series of embedded systems offering an often fuzzy view of knowable vulnerabilities exploitable by a dizzying array of threats. There is no finish line to security, rather it is an unrelenting exercise in risk management. And, although CISOs remain responsible for risk management, the rest of us remain responsible for security and must act accordingly. Kemba Walden, President, Paladin Global Institute Elevating Cybersecurity: Ensuring Strategic and Sustainable Impact for CISOs 17

Elevating Cybersecurity 2025