CISO accountability: Navigating a landscape of responsibility

What was once primarily a technical role, CISOs now find themselves accountable for organizational risk, regulatory compliance, and even legal liabilities across the entire organization. However, as cyber threats intensify, it’s clear that overseeing cybersecurity operations enterprise-wide is not feasible for just one person.

In 2025, I foresee a shift in CISO accountability.

Security will be a business-wide responsibility

As security touches and impacts every aspect of the organization, it’s no surprise that it will be increasingly viewed as a business-wide responsibility in the coming year. Whereas CISOs are now often the scapegoat for cybersecurity breaches, organizations will start to establish shared responsibility models that will protect CISOs and delineate the liability to maintain sufficient cybersecurity processes. Major brands like Microsoft are already setting the standard for shared responsibility models by ensuring the security of every employee—and it’s time others followed suit.

With this new collaborative model, the C-suite, general counsel, and board of directors will play a pivotal role in establishing clear and proper definitions of which departments are responsible for which security aspects.

For example, IT departments will be responsible for the infrastructure, focusing on implementing and maintaining technical defenses. In contrast, HR teams focus on fostering a culture of security awareness among employees with comprehensive training programs and so forth.

I encourage CISOs to begin having these conversations with the C-suite now to set teams up for success in the upcoming year.

The CISO role will become more collaborative and advisory

With a shared responsibility model, CISOs will collaborate more with teams and shift towards a more advisory role, leveraging their security expertise to assess, prioritize, mitigate, and/or accept risk with every department.

Research shows that 72% of executive leaders and cybersecurity professionals report that security and IT data are siloed in their organizations, contributing to corporate misalignment and elevated security risk. With CISOs as the overseers, they break down silos, facilitate the sharing of information, and coordinate responses to threats.

Collaboration between CISOs and departments will also ensure all employees think about cybersecurity measures throughout their processes, reducing vulnerabilities and ultimately taking the pressure off CISOs. For example, training employees to identify phishing attempts, follow secure file-sharing practices, or flag suspicious activity to become active participants in the organization’s defense strategy. Moreover, cross-departmental communication can lead to earlier identification of potential vulnerabilities or risks that might otherwise go unnoticed until they escalate and it’s too late.

CISOs will have a seat at the table

Although the CISO is considered a C-suite executive, research has found that many CISOs continue to struggle to be viewed as such and/or have not been elevated to that level, with just 20% of CISOs, and 15% of $1B+ company CISOs, being at the C-level. However, in 2025, CISOs will increasingly have a seat at the table to ensure security decisions are being made from the top down in alignment with relevant business goals.

Additionally, given that the focus of many security programs today is still reactive, CISOs can also ensure a heightened focus on proactive risk management when given the opportunity. Integrating proactive security across the organization means dedicating teams to support and focus on posture management, patch and vulnerability management, detection controls assessments and tuning, and red teaming–leaving teams in a position to stay ahead of threats rather than respond to them.

As organizations grapple with aligning their security frameworks with evolving mandates, the clarity around the CISO’s role becomes paramount. Incident reporting requirements from the SEC coupled with high-profile data breaches in recent years have put a spotlight on the CISO role and what does–or doesn’t–fall under their repertoire.

The expanding accountability demands a nuanced understanding of their responsibilities, from addressing technical vulnerabilities to shaping department strategies and navigating legal exposure. The upcoming year is an opportunity for organizations to clearly define the scope of the CISO’s role, ensuring they have the authority and support necessary to drive effective security initiatives across the organization.