CISO Role Changes as Cyber-Risk Appetites in the C-Suite Grow
TechTarget, Monday, June 8th, 2026
As C-suites accept cyber incidents as inevitable, CISOs must shift from prevention toward business resilience and strategic alignment.
Per Gartner analyst Will Candrick, cybersecurity incidents are inevitable but rarely existential, with 71% of board members now willing to accept greater cyber-risk to achieve business objectives. Excessive security controls create friction that stifles innovation, forcing CISOs to reconsider whether more security means better business outcomes.
The new mandate emphasizes minimizing harm before, during, and after an attack rather than maximizing prevention. Performance metrics should expand beyond traditional security measures to include reducing outages, limiting liability, boosting revenue, and protecting brand reputation. By 2028, business acumen - not technical expertise - will be the primary differentiator for high-performing CISOs.