Something significant happened to the CISO role over the past three years, and it goes well beyond the usual handwringing about the security talent shortage or the complexity of the threat landscape. The position itself has undergone a fundamental transformation – one that I'd argue is more consequential than anything we've seen since the role was created.
EMA's latest white paper, “The Evolution of the Chief Information Security Officer: The Shift from Technical Guardian to Enterprise Risk Architect” examines what's driving this shift and what it means for security leaders and the organizations that hire them. Here are the key things I think practitioners need to understand.
The SEC's October 2023 enforcement action against SolarWinds CISO Timothy Brown wasn't just a legal drama; it was a professional reckoning. For the first time, an individual CISO faced personal liability for the accuracy of public cybersecurity disclosures. Even though the case was ultimately dismissed in November 2025, the damage – if you want to call it that – was already done.
The message is clear: internal communications are now potential evidence. If your private risk assessments don't align with what your company is saying publicly, you have a problem that is no longer just operational. It is legal. CISOs have effectively acquired a quasi-legal function, and the vetting of public-facing security statements is now part of the job description.
The oft-cited 32-month average CISO tenure tends to dominate conversations about role sustainability, and it does tell a real story about burnout and the "hero hire" cycle.
Our data shows three distinct cohorts emerging: those in the high-risk early window (under two years, representing 22.1% of organizations), the productive middle zone (two to five years, the largest group at 46.3%), and long-tenure leaders who have been in the seat five-plus years (31.6%). The aggregate average obscures a bimodal reality: organizations are either caught in the churn cycle or they've achieved the kind of leadership integration that produces genuinely mature security programs.
What makes this particularly interesting is the data point sitting underneath it: 92% of CISOs who experienced a material data loss in 2025 attributed it to departing employees – up sharply from 73% the year before. When CISOs cycle out every few years, access transitions become a structural vulnerability, not just an HR inconvenience.
Perhaps the most telling sign of the role's evolution is where the next generation of CISOs is coming from. The days of the "chief nerd" – the security operations veteran promoted for their technical acumen – are giving way to leaders groomed in governance, risk, and compliance functions, and increasingly from legal backgrounds.
The market has responded accordingly. Strategic CISOs – those who excel at board engagement and fiscal risk quantification – earn 57% more than their purely technical counterparts. ISO 42001, the AI governance standard, is emerging as the certification that matters most. The ability to speak ROI and regulatory exposure to a board is now worth more, at least financially, than deep-packet inspection expertise.
_______________
The reporting lines tell the simplest version of this story. In 2023, 54% of CISOs reported to a CIO or CTO. By 2025, that number was 30%, while direct CEO reporting tripled to 42% and board-level reporting climbed to 62%. Security is no longer a subset of IT, and the CISO role is evolving to match that reality.
The organizations that will thrive are those that stop hiring CISOs to "fix" security and start building the structural conditions for them to lead it.
---
This blog is based on EMA's white paper, "The Evolution of the Chief Information Security Officer" published May 2026. The research draws on EMA primary survey data collected in April 2026 from North American IT and security decision-makers.