Walking the Path to the Future CISO: Reflections from ClubCISO at InfoSec 2026
At this year’s InfoSec 2026, ClubCISO relaunched with a powerful session on “The Path to the CISO Role: Future‑ready Skills for the Next Decade,” bringing together security leaders to talk frankly about what the CISO role is really becoming. It was less about tools and threats, and more about leadership, storytelling, and the tension between moving fast and staying secure.
ClubCISO’s evolving role
ClubCISO has grown into more than a UK-focused network. It is now a global community, with a membership model that keeps community access free while offering paid events for deeper engagement. The relaunch was a reminder of why spaces like this matter.
The aim is clear: to create a place where CISOs and senior security leaders can share real experiences, learn from each other, and have honest conversations that go beyond polished slide decks.
That community element came through strongly during the panel. Cyber security leadership can be a lonely place. When you are the person responsible for risk, resilience, incident response, reputation, and sometimes even business survival, it helps to have people around you who understand the weight of that responsibility.
From technical specialist to “Stratechnical” leader
A central theme was the evolution of the CISO from technical specialist to what one panellist framed as “Stratechnical”: equally comfortable in deep technical discussions and in strategic board conversations. Modern CISOs are expected to be generalists with a deep cyber core, overnight experts on whatever the board has just read in the news, able to respond with context and clarity. They’re not just managers; they’re leaders and innovators who have to understand how the whole business operates, not just the security stack.
With that shift comes a broadening of responsibilities. The CISO is often pulled into crisis management, reputation protection, and resilience planning, far beyond pure technical incident response. The expectation is clear: the CISO job is to enable business priorities and resilience, not simply to say no when something feels risky.
Speaking the board’s language
Board engagement came up again and again during the session, and for good reason. It is one of the most important skills future CISOs will need.
The poll results reflected this clearly. When asked how technical their boards were in relation to cyber security, only 3% of respondents said their board “knows their security stuff” and challenges them regularly. A further 24% said their board has some technical expertise and actively challenges them. But the largest group, 30%, said their board is not technical, yet still actively challenges them. Another 22% said their board is not technical at all.
That says a lot. The challenge is not always that boards do not care. In fact, in a separate poll, 69% of respondents said their board really understands cyber and cares. The bigger issue is often the gap between technical detail and business understanding.
The panel made a clear point: dashboards and technical updates are not enough. Boards need a story. They need to understand what the risk means, why it matters, and what decision is being asked of them.
A few practical takeaways really stood out:
- Use the “five so whats”. If you are explaining a technical issue, keep asking “so what?” until you can connect it to something the board cares about — revenue, operations, customers, reputation, or resilience.
- Don’t overload the board with detail. Not every technical point belongs in the board paper. The goal is not to prove how much you know. The goal is to help the board make better decisions.
- Find an ally in the room. That could be a non-executive director, a senior leader, or someone on the board who already understands the value of security. Having someone who can support and reinforce the message can make a real difference.
Boards care about growth, resilience, trust, and risk. It is up to the CISO to connect cyber security to those priorities in a way that feels relevant and actionable.
Moving quickly without losing control
Another tension the panel explored was the need to move fast while remaining safe and secure. In digital and D2C businesses, strong security and privacy controls can actually drive customer trust and conversion, but only if the organisation sees security as an enabler, not a brake. That requires CISOs to frame security as “how can we?” rather than “can we?”—designing scale‑appropriate controls that support growth instead of stifling it.
The poll results showed that this perception still has some way to shift. When asked whether their business sees cyber security as a business enabler or a cost, only 16% said it is definitely seen as a business enabler. 41% said it is viewed as a bit of both, an enabler and a cost, while 43% said it is definitely still seen as a cost.
That finding felt particularly important. It shows that although the role of security is evolving, many organisations are still struggling to see cyber as part of growth, trust, and resilience.
At the same time, the job is getting harder thanks to the sheer volume of misinformation in the public domain. CISOs find themselves regularly debunking sensationalist articles or vendor hype that boards and executives have seen, correcting myths without sounding defensive or obstructive. The session suggested this is an area ripe for thought leadership: managing misinformation and helping organisations distinguish between real risk and noise.
Regulation, resilience, and real-world pressure
Another interesting point from the audience polls was just how many organisations represented in the room operate in regulated environments. 74% of respondents said their company is in a regulated industry, while a further 11% said they are partially regulated.
That context matters. For many CISOs, the role is not just about protecting systems or responding to incidents. It is also about navigating regulation, demonstrating resilience, supporting audits, and helping the organisation make decisions that stand up to scrutiny.
This adds another layer to the future CISO role. They need to understand technical controls, but they also need to understand governance, legal exposure, customer expectations, operational resilience, and reputational risk.
In other words, the CISO is becoming a much more visible business leader.
Building the right team – and looking after yourself
A recurring reminder was that no CISO can carry all of this alone. As the role becomes more strategic, CISOs spend more time on budgets, board conversations, and influencing the wider organisation, which means it’s crucial to build a strong team around them. That team provides the depth in operations and engineering that allows the CISO to stay focused on direction, risk appetite, and resilience.
Equally important was the message about personal wellbeing. The panel was candid that cyber security leadership can be isolating and that startup and scale‑up environments add existential business risks into the mix. The advice was simple but powerful: align yourself with the right people—whether inside the organisation or in external communities like ClubCISO—and make sure you’re looking after yourself, not just the business.
Final reflections
The ClubCISO relaunch at InfoSec 2026 captured the reality that the CISO role is no longer defined purely by technical excellence. It is becoming a hybrid of strategist, storyteller, crisis leader, and innovator, with a mandate to enable growth while protecting the organisation from very real, and sometimes existential, risks.
The session was a timely reminder that our value as CISOs isn’t just in understanding threats and controls, but in helping the board and wider business make better, more informed decisions about risk. The future CISO will need to be “Stratechnical” by design, and supported by communities, teams, and allies who make that journey sustainable.

