Table
Blog Main 

Is CISO role shrinking to Compliance and Reporting

Posted By: cyhop

Blog

Is the Chief Information Security Officer (CISO) role shrinking to Compliance and Reporting?

By Muhammad Maad

What I believed gathering from different articles and conferences during the last 10 years or so, the CISO was expected to have many hats: a strategist; a technologist; a risk translator; a business enabler etc. However, a worrying perception is taking hold across many organizations. The CISO is becoming the custodian of compliance checklists and Board dashboards, rather than the owner of cyber risk. This shift is subtle, systemic, and increasingly normalized.

Regulatory pressures have never been higher. Frameworks such as ISO/IEC 27001, the NIST Cybersecurity Framework, PCI DSS, and SBP regulations now dominate security agendas. As a result, we spend an increasing share of our time preparing audit evidence; mapping controls to frameworks; responding to regulatory observations; producing Board-level risk heatmaps or managing assurance and certification cycles. Compliance is essential but it is not synonymous with security. In my opinion, there are three structural forces that are driving this shift:

  1. Boards ask for Assurance, not Scenarios: Board discussions often revolve around “Are we compliant (safe)?” rather than “How could we fail?” This pushes CISOs towards static reporting instead of dynamic risk modeling.
  • Security Metrics favor simplicity over reality: Maturity scores, Red-Amber-Green (RAG) statuses, & compliance percentages are easier to consume than attack path analysis or business impact scenarios.
  • Operational Security is fragmented: With cloud, IT Operations, DevOps, and Identity Management teams owning large parts of the security stack, CISOs are left coordinating governance rather than directing defense.

Whether or not an organization is compliant, it could still be dangerously exposed. Some of the most significant cyber incidents in recent years occurred in environments that were Certified; Audited; or “Green” on dashboards. Compliance confirms that controls exist, but it does not confirm they work under stress or pressure. When CISOs are measured primarily on compliance outcomes, security becomes about passing reviews and not surviving attacks. At its core, the CISO role was designed to:

  • Translate cyber threats into business risk
  • Anticipate adversary behaviour
  • Shape investment decisions based on loss scenarios
  • Own incident readiness and crisis leadership
  • Influence architecture, not just policy

Reducing this role to compliance management strips it of strategic value, and leaves organizations exposed when the real test arrives. To avoid becoming compliance officers in disguise, CISOs must deliberately expand their remit to:

  • Shift Board conversations from controls to consequences.
  • Introduce scenario-based cyber risk modelling.
  • Quantify potential financial and operational impact.
  • Embed security into transformation programs early.
  • Measure resilience, not just maturity.

Equally important, Boards and Executives must empower CISOs to own cyber risk, not just report on it.

Compliance will always matter; reporting will always be necessary. But neither should define the CISO. Organizations (regulators or the regulated) that treat cybersecurity as an assurance exercise will eventually learn, often painfully, that attackers do not audit controls, rather they exploit weaknesses. The future-ready CISOs are not checklist managers, they are risk executives.

If the CISO’s success is measured only by clean audits and polished dashboards, the role will continue to shrink. On the other hand, if it is measured by preparedness, resilience, and survival, CISO becomes indispensable. The choice is not technical but structural, and it belongs to leadership.

About the Author:

Mr. Muhammad Maad is the Chief Information Security Officer (CISO) at Faysal Bank Limited. He has over 29 years’ experience within the Information Technology, Information Security and Technology Advisory Services. Earlier in his career, he held the positions as the Executive Director – IT Advisory for Ernst & Young, Chief Information Officer for ZTBL, and Head of IT for HSBC Pakistan.

Muhammad Maad

As Head of IT and CIO, he successfully managed the core banking system implementation for his previous employers, whilst transforming the IT function as an effective forward-looking business enabler.

As a consultant, he helped organizations’ IT functions to add value and operate effectively, providing the required objectives. He also focused on the information security domain and managed a number of engagements ranging from baseline reviews to ISMS development & implementation. He undertook numerous IT audit engagements including banks, manufacturing companies, and pharmaceuticals during his tenure with Ernst & Young.

Mr. Maad is a frequent faculty for various curriculum including CISA and CISM. He provides guidance and support to young professionals in their career development.

He is member of the Cyber Security Forum of the Pakistan Banks Association, Cyber Security Alliance Pakistan, and ISACA, USA. He was on the Board of ISACA Karachi for many years holding various portfolios.

You May Also Like

ISACA Karachi Board

ISACA Karachi selects its new Board

cyhop Comments Off on ISACA Karachi selects its new Board
ISACA Karachi Chapter AGM 2026

ISACA Karachi Chapter AGM 2026

cyhop Comments Off on ISACA Karachi Chapter AGM 2026
Leaders

10 Vital Questions For Your Employer Regarding Women In Leadership Roles

cyhop Comments Off on 10 Vital Questions For Your Employer Regarding Women In Leadership Roles