Three emerging roles that signal where cybersecurity leadership is headed

Cybersecurity leadership is one of the most rapidly evolving disciplines in tech. CISOs were once only responsible for managing threats, but now the role requires product thinking, go-to-market strategy, and the ability to ensure profitability in the face of more sophisticated cyberattacks.

To understand how this shift is playing out, Insight sat down with Sean Cleary, head of security practice at executive placement firm Riviera Partners. He sees firsthand the changing skill sets required for cybersecurity excellence, and he shared his perspective on what great security leadership looks like in the enterprise and startups — now and tomorrow.

If you’re a talent leader, security ScaleUp founder building your executive team, or cybersecurity executive looking for a new role, here are five trends shaping cybersecurity leadership.

See the full interview below:

1. The CISO’s scope is expanding — and so are the stakes

“Companies are looking for security teams to do more with less,” says Cleary. That’s a tall order, with new AI-based threats and a rapidly expanding attack surface, meaning that the CISO’s role is only growing in both scope and stakes. “That has really upped the game for how good you need to be as a security leader in this industry now.”

The challenge begins with tooling. “There are a lot of different players in this space, and it’s hard to triangulate what the optimal solution is going to be for your org,” says Cleary. In other words, there are too many solutions and not enough clarity on what actually works. At the same time, “The market’s been under pressure. Interest rates haven’t gone down. M&A activity has not really picked up. So, there’s the consolidation piece that every CISO is getting pressured to do,” says Cleary. “How do you consolidate in the right way so that your attack surface is still covered?”

Cleary thinks the answer is focusing efforts on the three big enterprise threats right now: cloud, identity, and third-party risk. It also means being realistic with the resources at your disposal. Focus on tools that have the functionality that’s good enough for what your organization needs; don’t place too much weight on tools that, in the absence of a proper team or resources, won’t realize their value.

2. CISOs are being given more power

With rising stakes comes more authority. CEOs and boards are starting to give CISOs the mandate and resources they need to do their job more effectively. One sign of that is the rise of what Cleary calls “a strong lieutenant layer.”

“For a long time, because security is looked at as a cost center, CISOs were not afforded the opportunity to build strong VP-level executives underneath them,” says Cleary. That’s changing. Increasingly, CISOs don’t have the time or bandwidth to think about one thing in depth, so they need a team of deputies. “We’re seeing companies allow CISOs to hire some really great folks that can complete their skill set.”

3. The cybersecurity skill set is changing

And that skill set is changing, requiring a blend of technical fluency and business acumen.

“With the complexity of technology and the ever-changing nature of AI, it’s going to be really challenging to move the needle in the next couple of years if you don’t have that deeply technical background in a security leadership role,” says Cleary. “You’ve got to be fluent in AI.” 

Security leadership now needs to understand how tools like ChatGPT or internal copilots — which enterprises can deploy quickly for the most basic use cases — are being used across the entire organization, because that’s the new threat surface. When 25% of companies plan to pilot autonomous AI agents in 2025, half by 2027, CISOs must ask themselves, “What are my threats now going to look like? What are the technical and governance risks?”

Beyond technical expertise, CISOs also need to be business-oriented. “If you don’t have business acumen, if you can’t navigate stakeholders, if you can’t manage with nuance and lead with influence, it’s very hard to be successful in security leadership roles,” says Cleary.

4. Startups and ScaleUps need security leaders with product instincts

The same shift is happening in cybersecurity companies. Cleary notes that the most successful early-stage companies are hiring product-centric security leaders who understand value creation and positioning, bridging technical depth with go-to-market strategy.

“There is so much noise out there in the market,” says Cleary. “You have to have some folks who really have a strategic product mindset, who really understand how to drive a value prop, because if you don’t, you’re just not going to make it right now.”

One trend Cleary is seeing is the rise of the “single-threaded product and engineering leader,” particularly when a security startup hits a little bit of scale. “It gives the CEO one less direct report, and you can more closely align your product development teams towards a common mission.”

5. Three new cybersecurity roles are emerging

As CISOs take on broader responsibilities, companies are carving out new roles to address more specialized needs. Cleary sees three gaining traction.

Chief Product Security Officer. The product itself is often the most vulnerable attack surface, so it helps to have someone baking in security from day one. This is more important as AI proliferates, because the APIs that power them typically lack robust security. Over 57% of AI-enabled APIs are publicly exposed, and only 11% employ strong authentication and access controls.

 For the first time, more than half of the Cybersecurity and Infrastructure Security Agency’s (CISA) known exploited flaws now involve APIs, showing a shift to attacks that aim for direct entry points.

Business Information Security Officer. The BISO acts as a security champion across business functions, working closely with product, HR, legal, and other departments to integrate cybersecurity into day-to-day operations.

Chief Trust Officer. As CISOs begin to own parts of engineering, like site reliability engineering (SRE) and DevOps, and take responsibility for trust and privacy, some companies are creating a new executive role to oversee transparency, ethics, and data governance across the whole business. “It’s a real meaty mandate,” says Cleary, “and I think it can help justify with a board and a CEO that you’ve got to go above and beyond to hire a rock star.”

For enterprises, startups, and ScaleUps, staying ahead means rethinking what great security leadership looks like and hiring accordingly. “Companies need to get ahead of that in terms of building the next three to five years of their program,” says Cleary. “You’ve got to start thinking proactively about how the skill sets in your team need to shift pretty dramatically to be able to keep up with quickly changing technologies and very, very well-funded threat actors.”

*Note: Insight Partners has invested in Riviera Partners.