Home » Topics » Business & Strategy » The expanding role of the CISO

The expanding role of the CISO

A CISO now has to handle AI security, too

Avatar photoby Anna Jordan

We're looking at how the work of a CISO is getting ever more challenging, being forced to do more with less

  • AI security is now a leading concern for the CISO.
  • Leaders need to find the right external expertise to address any internal security blind spots.
  • The top 15 per cent of security leaders are those who commit to a comprehensive crowdsourced security strategy.
  • The lack of talent and resources serves as a significant barrier to adopting this full-scale offensive security programme, with 39 per cent of CISOs highlighting this lack of skilled personnel as a major challenge.

The role of the CISO is changing fast. The job has always been a challenging one, but new mandates are increasing their responsibilities.

Not only are CISOs being required to do more with less, but they are also taking on the responsibilities of AI security and data privacy. As such, 78 per cent of businesses are concerned about growing AI security risks. And with good reason, given over the past year, there was a 210 per cent increase in valid AI reports, with 65 per cent of these being AI security issues.

New research from HackerOne has revealed that 84 per cent of CISOs are now responsible for AI security, while 82 per cent are charged with protecting data privacy. The result is an already burdened CISO being asked to monitor and secure technologies that are evolving at breakneck speed. New technology is constantly being implemented across businesses, and when complex technologies such as AI are adopted by 78 per cent of organisations – a 23 per cent increase from the previous year – the scale and intensity of the task become clear. This rapid adoption, often driven by different parts of the business eager for a competitive edge, creates entirely new attack surfaces which must remain under constant surveillance to ensure no security risks go unnoticed.

For a CISO, this task can seem insurmountable – even the most skilled internal teams will struggle if they lack the specialised knowledge. Faced with a variety of unique vulnerabilities, CISOs will need the right tools and support in order to keep the business safe.

The right partner for the job

A strategic approach to offensive security is critical. However, businesses need to understand that a CISO will be feeling the pressure under the weight of these new duties. It is vital, therefore, to find the right external expertise to address any internal security blind spots. This is where the global security research community truly shines. 

Many CISOs already use some form of crowdsourced security, and research has shown that this approach is significantly boosting detection where internal expertise may be scarce. For example, 88 per cent of CISOs find crowdsourced security effective in discovering and eliminating data privacy vulnerabilities, with 81 per cent finding it effective in addressing AI-related threats. 

It is clear that crowdsourcing is not a one-off solution, but instead part of a larger framework that will help tackle the most serious security challenges. This marks the beginning of the rise of a framework called Continuous Threat Exposure Management (CTEM), with organisations shifting from periodic testing to continuous, risk-based validation of their attack surface.

The ’15 per cent Advantage’

HackerOne’s recent report highlighted that the top 15 per cent of security leaders are those who commit to a comprehensive crowdsourced security strategy. These 15 per cent of CISOs are twice as likely to be fully effective compared to partial adopters by utilising the full range of available tools, from bug bounties to vulnerability disclosure programs (VDPs), red teaming and pentesting. It is through the implementation of these approaches combined, joining AI with the ingenuity of security researchers, that businesses will be better equipped to find and eliminate security, privacy, and AI vulnerabilities across the software development lifecycle. 

With 58 per cent of security researchers actively upskilling their AI skillset, and 41 per cent already implementing the technology alongside their work, it is clear that we are now in the age of the AI-powered researchers – or, as we like to call them, ‘bionic hackers’. These researchers offer a cost-effective approach for businesses to secure their defences, as bug bounties operate on a pay-for-results model, making it a strategic way for the CISO to proactively secure these critical new attack surfaces. Over the last 12 months, $3 billion of potential damages has been saved across the globe thanks to researchers finding and mitigating potential vulnerabilities. 

Bridging the talent gap

Unfortunately, the lack of talent and resources serves as a significant barrier to adopting this full-scale offensive security programme, with 39 per cent of CISOs highlighting this lack of skilled personnel as a major challenge. On a global scale, the cybersecurity industry urgently needs around four million more professionals to bridge the current gap in key roles.

However, taking a crowdsourced security approach offers a powerful, scalable solution for businesses to tackle this problem. This serves as a cost-efficient model, while still enabling organisations to access specialised expertise from a wide range of researchers whenever the need arises. Tapping into the diversity of the research security community helps leaders scale their security capabilities to match the speed and complexity of modern attack surfaces without being constrained by the limits of internal teams.

Ultimately, it is crucial for businesses to build a proactive, resilient security posture to ensure they are able to prevent and defend against the diversity of security threats. Security leaders who embrace the defensive capabilities of crowdsourced security will soon discover this is a crucial part of any cybersecurity strategy. 

The case is clear. Crowdsourced security is an essential resource for businesses looking to future-proof their organisation, transforming security from a reactive function into a strategic, board-level advantage.

Josh Jacobson is director of professional services at HackerOne.

Read more

Why CISOs need to pay attention to geopolitical trends – Keeping up with geopolitical trends isn’t just another thing on the to-do list for CISOs – it’s essential. Here’s why

Avatar photo

Anna Jordan

Anna is Senior Reporter, covering topics affecting SMEs such as grant funding, managing employees and the day-to-day running of a business.

Related Topics

CISO

Related Stories

Business & Strategy

3 signs your company is heading for the customer support squeeze

Catch these warning signs of customer support squeeze in the face of hypergrowth – and remember to focus on the important markers

Business & Strategy

Global file locking and the CAP theorem – how to choose your strategy

Reduce the risk of losing valuable information with file locking. But how should you approach it? We'll show you what you need to consider

Business & Strategy

5 types of transformation fatigue derailing your IT team

Fatigue is the biggest risk to IT teams dealing with a continuous transformation strategy. Here's what to watch out for and what to do

Business & Strategy

Driving business growth through effective productivity strategies

Productivity models are key to driving business growth and improving performance but the key is to be flexible and take a holistic view of the process