“The CISO is no longer just a necessary evil”


21 May 2024

Last month, during Amrops Global Digital Practice Quarterly Online Event “The evolution of the CISO role: CISO as a business enabler” we heard from and spoke to Harvey Ewing, CISO turned CIO, who is now again a CISO at Radial Inc., and to Dimitri van Zantvliet, CIO turned CISO, now the CISO at Dutch Railways (Nederlandse Spoorwegen). The event was facilitated by Job Voorhoeve, the leader of Amrop‘s Global Digital Practice, and Jamey Cummings, the Cybersecurity Partner at JM Search.

Both CISOs started by commenting on the drivers of cybersecurity nowadays, the global situation and the context where cybercrime has emerged as the world’s third-largest economy, trailing only the United States and China, and where, in the current global geopolitical climate, digital safety and physical safety are more and more inextricably linked.

“With AI emerging and changing the threat landscape even further, the role of the CISO is rapidly evolving,” said Dimitri van Zantvliet.

However, the tension between the priorities of enabling business objectives through technology and maintaining a robust security posture can be challenging when it comes to the collaboration between CISOs and CIOs.

“A “healthy conflict” can be a catalyst for collaboration between the CIO and CISO. When the status quo is challenged in a positive manner it can provide beneficial outcomes for the business as well as providing appropriate data for the Board when presenting security issues,” said Harvey Ewing. He also explored the idea of creating a functional partnership between the cybersecurity and software development teams and offered examples based on his personal experience.

Important parts of the discussion touched on issues related to legislation and how the need to be compliant has a serious impact on the organization’s business imperatives. Van Zantvliet explored the ethical aspects of security and compliance, and Ewing spoke of CISOs being more and more involved in business proposals provided by the organization.

It was also noted that in today’s threat environment, the CISO’s work is never complete. “As a CISO you’re playing an infinite game!” noted van Zantvliet. However, as long as there’s growth and learning, being a CISO can be an extraordinary journey of constant and multi-layered journey. Van Zantvliet emphasizes the need for experience: “Don’t step into this role too soon!”.

Coming back to the topic of the evolution of the CISO role, Ewing noted that the dynamics between the CISO and the other C-suite roles have changed: “Being a successful CISO nowadays means getting out of the typical CISO shell; you can go from being a CISO to being a CIO or a CTO – you can go wherever you want to go!”.

It goes hand in hand with his observation that “CISO is no longer just a necessary evil – companies need them and they’re becoming more and more aware of it.” This, however, doesn’t mean that the CISO’s work is done – it’s crucial that they always hone their messaging around cybersecurity issues and adapt the information with the business imperatives in mind!

The two speakers also answered some insightful and relevant questions from the audience, for example, they were asked to elaborate on ways in which they’ve worked to create a security awareness culture in their organizations, especially, in the context of increased attempts to breach the security of private individuals via various platforms and newly launched digital tools. They were also answering questions about the dynamics within the IT organization and the EU’s Cyber Resilience Act.

To find out more, reach out to us at digital.practice [at] amrop.com or contact Amrop’s Global Digital Practice member in your country.

For more insights on the topic of CIO & CISO managing tensions and working together, which Amrop’s Global Digital Practice explored with our global search partner JM Search, please see our full study.