• The CISO role has shifted from technical leader to strategic business risk advisor, demanding cross-functional influence and board-level communication.
• Effective risk management requires structured, ongoing programs covering AI risk, third-party visibility, and control effectiveness.
• Resilience is the new measure of success with a focus on how fast and effectively the organization recovers from the incidents that do happen.

From IT Problem to Business Risk: How the CISO Role Has Shifted

The cybersecurity landscape is constantly evolving, which means the CISO role is also evolving. According to Splunk's 2026 CISO report, 86% of CISOs stated, “the role has changed so much since they first became a CISO that it’s almost a different job.”

Where once the role was solely that of a technical leader, it has evolved to now involve business risk. As Nick Kakolowki, Senior Director, CISO Research at IANS, stated in an RSAC^TM 2026 Conference presentation, “More CISOs are being elevated into executive roles, and we have seen a need for CISO to become an all-purpose risk consultant.”

Kakolowki and his cohost, Steve Martano, Partner, Cybersecurity Practice at Artico Search, conducted a survey with 650 CISOs and highlighted in their presentation what the CISO role looks like today:

What the Executive CISO Role Looks Like Today

The modern CISO has evolved beyond technical operations so much that the role now demands strategic leadership, organizational influence, and the ability to align security with business outcomes. The key responsibilities that define this evolved role include:

• Running a strong team: Building a strong team that can handle day-to-day operations without heavy oversight from the CISO, allowing them to focus on strategic priorities
• Delegating responsibilities: Assigning clear duties and ownership across the team, while also finding ways to leverage automation, training, and mentorship is critical.
• Building cross-functional relationships and influence: Identifying the right stakeholders is crucial to making a program better, faster, and more efficient.
• Proactively mitigating risk to support business growth: Inform the board and others of risks based on where the company is going, not just where it is today.

In today's cyber world, the CISO role consists of many functions, which is why Gartner reported that 85% of organizations rely on their CIO or CISO as having accountability for security initiatives.

Building a Risk-based Security Program

As new and emerging threats are identified and AI risks evolve, it's important for a CISO to build and maintain a strong risk-based security program, moving away from simple compliance checkboxes.

Organizations should create a cyber risk assessment as a starting point. In an RSAC 2026 presentation, T.J. Patterson, VP, Information Security Officer at STAR Financial Bank, detailed a framework for creating a cyber risk assessment:

Step 1: Quantify Risks with a Risk Matrix

The first step Patterson outlined is for organizations to examine a risk matrix to quantify risks, using a grid similar to figure 1. This helps organizations map out the likelihood of specific risks that can or will be exploited within their environment. The scoring ranks from "very likely" to "unlikely" and categorizes them as "low," "medium," "medium-high," or "high."

Figure 1: RSAC 2026 Conference Presentation

Step 2: Analyze Inherent Risks

The second step is to analyze inherent risks using the same but more consolidated chart, after the organization identifies the actual risks that can be exploited. From there, review the placement of each risk (very likely, high, etc.) to understand the risk landscape and determine where to place controls to reduce the likelihood of exploitation or prevent it altogether.

Step 3: Examine Residual Risk

The third step is examining residual risk by looking at what remains after an organization has applied controls and mitigations. As Patterson explained, this helps "Determine which risks need to be prioritized over the next year."

Step 4: Evaluate Control Effectiveness (Ongoing)

The final, continuous step Patterson highlighted is evaluating control effectiveness. It measures how well an organization's controls are actually reducing risk. Control effectiveness is what bridges inherent and residual risk. If controls are working, organizations should revisit and reassess residual risks; if gaps remain, additional controls should be layered in. This step is ongoing, not a one-time exercise.

If an organization doesn't have the tools or budget to build a full risk assessment, Patterson recommended starting with a risk register. (Figure 2)

Figure 2: RSAC 2026 Conference Presentation

AI Risk Assessment

AI is expanding, for better and worse, which is why organizations should maintain a separate AI risk appetite statement, similar to a cyber risk appetite statement, as Marnie Wilking, CISO at Booking.com, stated in an RSAC 2026 presentation.

Regulators have increasingly included AI risk management as a cybersecurity imperative. The EU AI Act takes a risk-based approach to AI governance, establishing a tiered system of AI use based on risk level, with strict obligations imposed on high-risk AI applications.

To build a comprehensive AI and cyber risk program, organizations should consider aligning with the following frameworks:

• NIST AI RMF: Guidance for identifying, assessing, and managing AI-specific risks across the organization.
• NIST CSF 2.0: Widely adopted for managing cybersecurity risk, recently updated to include governance as a core function.
• ISO/IEC 27001: The gold standard for information security management, applicable to both cyber and AI-adjacent risks.
• EU AI Act: For organizations operating in or serving EU markets, alignment with the Act's tiered risk obligations is increasingly mandatory.

Third Party and Supply Chain Risk

Organizations should treat third party and supply chain risk as its own distinct category. Over the past five years, major supply chain and third-party breaches have quadrupled, according to IBM.

But beyond the frequency of attacks, the deeper problem is what organizations can't see. Patterson recently joined Hugh Thompson, Executive Chairman & RSAC Conference Program Committee Chair, on an RSAC Cyber at the Top podcast to discuss the challenges of today's supply chain security landscape, and one theme dominated: visibility, or the lack of it. Third party risk has become a top priority for CISOs precisely because they have so little insight into what's happening inside their vendors' environments.

When a third-party breach occurs, that blind spot becomes critical. Organizations are left on the outside looking in, unable to monitor the incident as it unfolds, dig into the data, or bring in their own forensic teams. They are entirely dependent on the affected vendor's incident response, with no independent ability to investigate or verify.

The visibility gap extends to compliance as well. As Patterson emphasized, organizations must ensure their third-party vendors are held to the same regulatory standards they themselves are required to meet.

This challenge is further examined in an RSAC 2026 presentation. Moderator Kate Growley, Partner and Senior Director at Crowell & Moring LLP, framed the core problem, “Supply chains are more complex and digitalized than ever, expanding the attack surface and guardrails are coming from both inside organizations and from regulators.”

Panelist Katherine McDaniel, Director of Cybersecurity at T-Mobile, noted that supply chain management and regulatory interest in third-party risk aren't new, what has shifted is the emphasis. The focus has moved beyond confidentiality alone. Regulators are now applying the full CIA triad—confidentiality, integrity, and availability to the systems, networks, and data that organizations depend on.

Another panelist, Christopher Hale, Senior Director of Cyber and National Security Laws at Cisco Systems, outlined three regulatory trends accelerating this shift:

• Data protection requirements are cascading downstream. Regulators are increasingly mandating that vendors themselves meet standards around confidentiality, integrity, availability, and resilience, not just the organizations they serve.
• Product security is under greater scrutiny. Stronger regulations are emerging around how products are built, governed, and brought to market.
• Geopolitics is reshaping supply chain decisions. Countries are enacting supply chain exclusionary laws, at times naming specific companies tied to adversarial nations, as national security and regulatory priorities converge.

The discussion outlined the growing regulatory pressures CISOs face (figure 3) and offers a practical framework for reexamining how organizations approach supply chain risk management—starting with the requirements below:

Figure 3: RSAC 2026 Presentation

When Things Go Wrong: Incident Response as a Risk Management Function

Organizations should shift their mindset from "prevent everything" to "how fast can we recover?" As Emma Smith, Global Chief Information Security officer at Vodafone, discussed in the RSAC Cyber at the Top podcast, “Measuring resilience means tracking the scale of impact of an attack, the speed of recovery over time, the effect on customers, and whether the same incident recurs. The goal is an organization that can learn, adjust, and adapt after every event.”

Cyber Insurance Reduces Risk

Cyber insurance is an often-overlooked part of the resilience equation. Beyond financial protection, as Tony Anscombe, Chief Security Evangelist at ESET stated in an RSAC 2026 presentation, “Modern insurers now provide incident response support, notify policyholders of vulnerabilities and require patching, and offer threat intelligence services.”

Security is about ensuring the business can continue to operate. As that mindset takes hold, the CISO evolves from gatekeeper to Risk and Resilience Officer, and the measure of success shifts from preventing every incident to ensuring the organization survives the ones that happen.

To learn more about how CISOs are managing cyber risk, we invite you to visit our library.