The Risk Architect: Why CISOs are Returning to Their Roots

The prevailing narrative in cybersecurity suggests the CISO role has evolved from technical operator to strategic business and risk leader. It’s a compelling story—but it misses a key truth. What we’re seeing today is less an evolution than a return to the role’s original purpose.

That intent was clear from the very beginning. When Steve Katz became the world’s first CISO at Citicorp in 1995, he approached security as a business problem. Instead of focusing on systems or tools, he framed cybersecurity in terms of risk, asking leaders to consider how compromised data could directly impact financial outcomes.

He bypassed technical jargon to ask the board a fundamental business question:

"You are sitting in a trading room at a trading terminal and before your eyes, sixes and sevens become nines, fives become eights, and threes become zeros. What does that do to your trade?"

Katz wasn’t talking about technology. He was talking about trust, revenue, and operational integrity. That same lens defines how today’s most effective CISOs operate: translating cyber threats into business insights leaders can act on.

As the World Economic Forum’s Global Cybersecurity Outlook 2025 notes, “Effective CISOs frame cyberthreats as business risks rather than purely technical challenges.” By tying incidents to business continuity, reputation, and financial impact, they bring cybersecurity into the broader risk conversation—right where Katz positioned it from the start.

How CISOs Reassert the Risk Management Role

Katz’s approach offers a durable framework for modern organizations. He designed his questions to surface business exposure—not to uncover technical gaps.

On control and authorization: The conversation pivots from who has access to which actions could materially impact the business if misused. This helps identify where automated permissions or integrations could introduce unintended risk.

On integrity and auditability: The focus moves beyond logging to understanding where trust is non-negotiable. In many cases, the most damaging incidents are not data theft, but subtle manipulation of information that erodes confidence over time.

On availability and resilience: The question is no longer about uptime targets, but about identifying the moment when disruption becomes a business failure. This reframing helps prioritize investments in continuity and recovery where they matter most.

These are the kinds of shifts that align security with executive priorities and make it easier for CISOs to communicate risk in terms the business understands.

Reactive Security vs. Proactive Resilience

One of the clearest distinctions in this evolution is the move from reactive security toward proactive resilience.

Reactive models tend to focus on events. They prioritize detection, response, and remediation, often measuring success by the absence of visible issues. While necessary, this approach can create blind spots, particularly when risks do not immediately trigger alerts.

A resilience-driven approach starts with business aims and works backward. It assumes that disruptions will occur and focuses on limiting their impact. Leaders must design their controls not only to prevent incidents, but to contain them and ensure continuity when they happen.

This recalibration changes how organizations evaluate security. Instead of asking whether systems are secure, organizations begin to ask whether the business can continue to operate under stress.

According to Gartner, resiliency in the name of enabling the business is one of three key themes for CISOs in 2026.As one CISO Gartner community member stated: “cyber resilience goes well beyond IT recovery plans—it includes legal, public relations, market disclosures, and supplier readiness. It’s about full, end-to-end coordination and readiness across departments.”

This broader resilience definition demands that leaders shift how they position security inside the business.

Reframing the Narrative: Security as Scaffolding for Growth

For years, companies have cast security teams as the “department of no”—a final checkpoint that slows things down or blocks progress altogether.

That perception is both cultural and structural. Introducing security late turns it into a constraint.

A risk-led approach changes the timing and the role. Security becomes the scaffolding that supports growth, providing the structure that allows teams to move faster without increasing exposure. Like scaffolding on a construction site, it is not the end goal, but it makes ambitious work possible.

As Deloitte’sGlobal Future of Cyber surveyfound, “cyber-mature organizations anticipate twice the positive outcomes as their less mature peers.” These results include higher revenue, confidence to innovate, and higher customer retention.

The "From–To" Transitions: A Guide for Security Leaders

Building that kind of scaffolding requires a shift in perspective. Instead of asking how security can prevent risk, leaders begin asking how it can enable the business to take the right risks safely. That distinction is what turns security from a blocker into a builder.

1. From Patching to Exposure Management

The perspective shift: Security must move beyond a checklist mindset and toward protecting what matters most to the business. Patching addresses known issues, but exposure management evaluates how vulnerabilities connect to critical assets and real attack paths.

The value: Resources are focused where they reduce business risk and not just technical debt.

Self-diagnosis: Are we prioritizing fixes based on severity scores, or on the criticality of the business asset at risk?

2. From Monitoring to Threat Hunting

The perspective shift: Teams must evolve from passive observation to active investigation. Monitoring surfaces known signals, while threat hunting looks for subtle anomalies that indicate emerging risk.

The value: Early detection prevents small issues from escalating into major incidents that disrupt operations or damage trust.

Self-diagnosis: If an attacker were operating quietly in our environment, how confident are we that we would find them?

3. From Manual Containment to Automated Orchestration

The perspective shift: Human response alone cannot keep pace with automated threats. Organizations need systems that act immediately when threats cross risk thresholds.

The value: Faster containment limits the blast radius of incidents and protects business continuity.

Self-diagnosis: How long does it take us to isolate a threat, and can the business withstand that delay?

The Boutique MSSP: A Strategic Partner in Modern Risk

Steve Katz had the luxury of building a team of 600 experts at Citicorp. Most organizations today operate with far leaner resources, making it difficult to maintain that depth of specialization in-house.

This is where a boutique Managed Security Service Provider (MSSP) becomes an essential partner and strategic extension of the CISO’s office by providing:

• Contextual intelligence: A strategically aligned MSSP filters technical noise through the lens of your specific business objectives. This helps the CISO speak to executives in terms they understand, such as "revenue at risk" rather than "firewall hits."
• Architectural scaffolding: A boutique partner helps design and implement the "scaffolding" mentioned earlier. This includes deploying solutions such as micro segmentation and automated orchestration tailored to the business’ specific workflows, rather than a one-size-fits-all template that creates friction for IT.
• Advanced threat hunting: The right MSSP provides the specialized "hunters" who look for the subtle data integrity issues Katz warned about. This proactive stance moves the organization away from the "department of no" and into a state of continuous readiness.
• Board-level translation: According to Foundry’s 2025 CSO Security Priorities Study, 95% of top security executives engage with their boards, and more than half brief their boards multiple times a month. A boutique MSSP provides the data and reporting necessary to talk to the board. It helps the CISO translate technical metrics (like “firewall alerts”) into risk metrics (like "operational resilience").

The Business Value of a Risk-First Mindset

Organizations that align security with risk transform it from a cost center into a lever for business performance.

• Faster digital transformation: Embedding security cross-functionally from day one enables DevOps and IT teams to ship products faster without last-minute friction.
• Market resilience through Zero Trust: Limiting the blast radius of incidents strengthens trust with customers and partners.
• Simplified regulatory adherence: A risk-led approach aligns with compliance requirements, reducing audit friction.
• Safer AI Adoption: Instead of banning AI, a risk-minded CISO builds the governance framework allowing the business to adopt AI without exposing sensitive data.

Today, 86% of CISOs report that their role has changed so much it feels like a different profession, according to Splunk’s CISO Report. In reality, they’re reasserting the “Chief Information Risk Officer” mandate that Katz established three decades ago.

The modern CISO isn’t a departure from the past—it’s a return to first principles. By reconnecting security to its original purpose—managing business risk—organizations can move beyond reactive defense and build a more resilient, adaptable foundation for growth.