The cyber landscape is changing rapidly, and so is the position of the chief information security officer. Cloud adoption, artificial intelligence and workforce pressures, among other factors, have significantly reshaped the implications of cyber defense and thus the CISO’s responsibilities. Today’s CISO must be a collaborative leader across the enterprise — one who empowers people and establishes a culture of proactive responsibility
CISOs as Enablers, Not Blockers
The perception of CISOs as gatekeepers is fading with the growing expectation that they will serve as partners to business and technology leaders. Nancy Rainosek, a senior fellow with the Center for Digital Government (CDG) and former CISO for the state of Texas, says that when she began her tenure in Texas, CISOs were often dismissed as obstacles. “We were called the ‘Department of No,’” she says. “As we evolved our office and worked to enable agencies, people started calling us the ‘Department of Know.’”
This shift described by Rainosek represents a broader reality: Security can no longer function as a standalone unit. The CISO must be a change agent, and cyber success across an organization depends on close collaboration as opposed to separation.
Nathan Loura, CISO for the state of Rhode Island, says enablement must guide the direction of the CISO. “Risk management does not mean being risk-averse,” Loura says. “It means getting to know the business, understanding how it operates and then bringing solutions that allow it to move forward securely.”
Technology Shifts
One of the biggest challenges for CISOs is keeping pace with rapid technology change while managing legacy systems. This will mean different things for different CISOs: State and local agencies are scattered across every stage of cloud adoption, from on-premises to hybrid to cloud-first.
“The reality is almost always a mixture,” says Ryan Kazanciyan, CIO and CISO at Wiz, a leading cloud security platform. “Some systems are lifted and shifted, while others are rebuilt to be cloud native. For most organizations, this is a process that spans years, and the opportunity for security leaders is to enable that transition both efficiently and securely.”
Governments are also adopting artificial intelligence at an uneven rate. Some agencies are only monitoring and evaluating AI tools rather than investing in them. Kazanciyan says government moves at a different pace than the private sector. “Fast-moving companies often adopt AI rapidly to maximize its potential as a force multiplier,” he says. “In the public sector, the obligations around regulation, privacy and security set a higher bar, so adoption is naturally slower.
Rainosek stresses the importance of governance for AI adoption, especially when constituents can’t shop around for government services. “Constituents cannot go somewhere else for a driver’s license,” she says. “That is why government must adopt AI carefully, even as the benefits are clear.”
Measuring Success and Setting Priorities
Today’s CISO must rethink what success looks like. Cybersecurity effectiveness can no longer be distilled into a single metric or number. Instead, it demands a broader, more nuanced view of progress and resilience.
Kazanciyan cautions against relying on incident counts, calling them one of the least effective metrics to use. “If the incident number goes down, it might just mean people are redefining what counts as an incident,” he says. “What matters more is whether the impact of incidents is decreasing, whether teams are recovering faster and whether the same problems keep happening.”
During her tenure with Texas, Rainosek’s office relied on maturity models to track progress across agencies. These models assessed whether programs moved from ad hoc practices to more standardized, repeatable processes. “We used maturity models to measure positive change,” she says. “The results showed agencies were improving over time, and it gave us something concrete to present to the legislature when we requested funding.”
For CISOs, effective measurement is less about emphasizing specific metrics and more about demonstrating improvement. When agencies can show progress in reducing risks and decreasing response times, leaders are better positioned to secure resources and sustain change.
Conclusion
Technology and strategy are only part of a CISO’s role. True and lasting impact comes from a CISO’s ability to shape culture and invest in people. With workforce turnover, the loss of institutional knowledge, and constant pressure on staff, leadership and mentorship become essential. Without them, even the best security investments and improvements struggle to take root. “The legacy of a CISO is not just the tools they put in place,” says Dan Lohrmann, a CDG senior fellow and former CISO for the state of Michigan. “It is the people they mentored and the teams they built.”
Click here to download this thought leadership paper!
Sponsor Content
