Elevating Cybersecurity 2025

In today’s rapidly evolving threat landscape, the role of the CISO has never been more critical. CISOs are not just defenders of infrastructure – they are strategic leaders who work across every part of the organization to embed security into the fabric of how an organization operates, innovates and serves customers. At PayPal, the most critical responsibilities of the CISO are to align security with business priorities, foster a culture of trust, drive resilience at scale and protect the company and its customers. Joy Chik, Board Member at PayPalA. The CISO mandate There is no single definition of a CISO. The exact title and mandate depend on a variety of factors such as the size of the organization, its industry, its age, its market segment and its cyber maturity. In some organizations, roles and responsibilities with regard to risk governance are defined through the “three lines of defence model”. In this, used widely in the financial services industry, responsibilities are split among: the first line of defence, which runs operations to protect the organization against cyberthreats; the second line, focusing on risk management and compliance; and the third line, delivering internal auditing. Some CISOs may sit in the first or second line, while others operate across both lines. Some CISOs focus narrowly on specific parts of the business, while others have a broader, more holistic scope encompassing all digital systems, including the product or service offering from their organization, therefore protecting the value proposition delivered to clients. Reporting lines may also vary, with some CISOs reporting to a member of the C-suite – for example, the chief information officer, chief technology officer, chief legal officer, chief risk officer or chief digital officer – while others report directly to the chief executive officer. At the World Economic Forum’s Annual Meeting on Cybersecurity 2024, 24% of CISOs polled had direct reporting lines to the chief executive officer. Some organizations integrate physical security and personnel security as part of the CISO role, while others include crisis management and business continuity – this often results in a wider chief security officer (CSO) role with the intention of aligning those mandates. CISOs’ remits may now include hybrid, physical and human capital risks (and more). Some financial services organizations also broaden the scope of the CSO role to include financial crime, anti-fraud and anti- money laundering, making their scope wider than traditional information security. Some CISOs own identity, while other organizations keep it separate.12 Some other CISOs may also own the trust or resilience agendas. For organizations operating in industrial ecosystems, the CISO often has the responsibility of ensuring the digital security of OT. In some cases, the C-suite looks at the CISO role as being compliance-driven, which can be a limiting framework if the aspiration is to build a cyber- resilient organization. Compliance is about meeting minimum standards; security is about managing real-world risk. Therefore, the balance between compliance and security is crucial to the CISO role. Globally, cybersecurity is increasingly recognized as a core element of corporate governance and board-level accountability, driven by regulatory developments across multiple jurisdictions. Laws and frameworks emphasize that boards of directors bear ultimate responsibility for managing cyber risk. While operational duties may be delegated to a CISO, the legal and reputational consequences of cybersecurity failures remain with the board – making the CISO’s primary role one of enabling the board to fulfil its fiduciary, legal and risk management obligations. Although CISOs must work closely with business units to implement effective controls and drive resilience, one of their core values lies in enabling the board and executive leadership by providing strategic insight, assurance and clear communication of the organization’s cybersecurity posture. B. CISO relationships CISOs’ success hinges on strong relationships to enable tactical and strategic collaboration across their organization and beyond. Figure 1 shows a map of the CISO relationships and outlines the key stakeholders and high-level responsibilities from both sides.1.2 The diversity of the CISO role Elevating Cybersecurity: Ensuring Strategic and Sustainable Impact for CISOs 8