×

Unauthorized individuals may attempt to impersonate Riviera Partners.

Please note:

If you receive a suspicious message claiming to be from Riviera Partners:

What a Modern CISO Does. And How the Role Has Changed

The CISO role has been quietly redefined over the last three years. The job that exists today in most organizations (particularly in AI-first and venture-backed companies) looks materially different from the compliance-and-incident-response function it was for most of the 2010s. Companies that are hiring CISOs against the old model are getting the wrong person for the job they actually have.

What Does a CISO Actually Do in 2026?

A modern CISO owns the organization’s security posture. But that scope has expanded well beyond firewalls and incident response. In 2026, the role has three distinct dimensions that need to be filled simultaneously.

Security operations: The traditional core. Threat detection, incident response, vulnerability management, security infrastructure. This is table stakes, not a differentiator.

Risk and governance: Board reporting, regulatory compliance, enterprise risk management, vendor and third-party security. This dimension has grown significantly as boards have increased their security oversight and as regulatory environments have tightened in financial services, healthcare, and increasingly in AI.

Business enablement: The dimension that separates modern CISOs from legacy ones. Security architecture decisions that enable faster product development rather than blocking it. Security as a competitive differentiator in enterprise sales. AI security strategy, governing how AI systems are built, deployed, and monitored from a risk perspective.

The CISOs who are most effective in 2026 are operating in all three dimensions. Those who are only operating in the first two are leaving significant value on the table.

How Does the CISO Role Differ by Company Stage?

The CISO mandate changes substantially as a company scales. What you need at Series B is not what you need at Series D. And it’s definitely not what you need at a public company.

StagePrimary mandateWhat good looks like
Series BBuilding the foundation, policies, basic infrastructure, vendor riskSomeone who can build from scratch without over-engineering for a stage you’re not at
Series C–DScaling security alongside product growth; first board reportingA communicator who can translate security risk into business risk language
Pre-IPOSOX readiness, executive buy-in, security as part of the IPO narrativeAn operator with public company experience or a strong advisor relationship
Public companyFull enterprise program, board committee reporting, regulatory depthA seasoned executive with strong governance instincts
PE-backedSecurity diligence, integration risk management, often rapid transformationSomeone comfortable operating under financial-sponsor oversight

How Has AI Changed the CISO Role?

This is where the largest shift is happening, and it’s moving faster than most organizations are prepared for.

AI systems introduce a new category of security surface that most traditional security frameworks weren’t built to address. The CISO in an AI-first company is now responsible for: securing the training data pipelines that models depend on, governing which AI tools are deployed internally and with what access, managing the risk of model outputs being used in decisions that create liability, and increasingly, working with regulators who are writing new rules faster than they understand the technology.

The CISOs who are ahead of this curve understand AI well enough to have substantive conversations with the engineering team, not just flag AI as a risk category to be reviewed. The ones who are behind are treating AI security the same way they treated cloud security in 2015: as a variation on existing frameworks that just needs some new controls.

When Should a Company Hire Its First CISO?

Most companies hire their first CISO about 12–18 months later than they should. The common triggers, a security incident, a customer enterprise requirement, or a board mandate, are all reactive. The companies that do this well hire ahead of those triggers, at the point where the cost of a security incident starts to significantly exceed the cost of the hire.

A useful rule of thumb: if you have customer data at any meaningful scale, are working toward an enterprise market, or are building on AI infrastructure that touches sensitive data, you’re probably ready for a CISO. Series B is typically the right time for most B2B SaaS companies. Companies in regulated industries (fintech, healthtech, insurtech) are usually ready at Series A.

The case for hiring earlier than you think you need to: the best CISO candidates are in high demand and not urgently looking. Finding the right person takes time. A company that waits until they have a problem is a company that will settle for whoever is available.


Frequently Asked Questions

What’s the difference between a CISO, a CSO, and a VP of Security? CISO (Chief Information Security Officer) is the most common title for the senior security executive and typically implies a broad mandate across security strategy, operations, and risk. CSO (Chief Security Officer) is sometimes used interchangeably but can also refer to a role with a broader physical and operational security mandate. VP of Security is often used at earlier-stage companies where the role is more operational and doesn’t yet carry the full strategic scope of a CISO.

Does a CISO need to be technical? Yes, but with nuance. A CISO needs enough technical depth to lead a security team, evaluate architecture decisions, and have credible conversations with engineers about threat models and controls. They do not need to be writing code or managing infrastructure directly. The most effective CISOs combine technical credibility with strong communication skills. They can translate technical risk into board-level language without losing the substance.

What should a CISO’s first 90 days look like? The best CISOs spend the first 30 days listening and assessing: understanding the current security posture, mapping the real threat surface (not just the documented one), and building relationships with engineering, legal, and the CEO. Days 30–90 are typically about prioritization, identifying the three or four areas of highest risk and starting to address them, while building the board reporting structure and vendor relationships that will support longer-term work. The CISOs who come in with a 90-day plan written before they’ve started tend to execute the wrong plan.

How involved should the board be in security decisions? Most boards now have some level of security oversight, whether through a dedicated audit committee responsibility or through direct CISO reporting. The modern expectation is that the CISO presents to the board at least quarterly, can communicate security risk in business terms, and has a direct line to the CEO when an incident requires rapid executive response. Boards that are passive on security tend to become reactive. And reactive security responses are significantly more expensive than proactive ones.

Find related content:

Recent articles