Cambridge warns CISO role unsustainable

Cambridge Judge Business School said on May 13 that the chief information security officer role has become unsustainable at many companies as cyber duties spread beyond technical defense into governance, regulation and business oversight. The school published a report by Simon Learmount, an associate professor of corporate governance, arguing that the expansion risks weakening rather than strengthening corporate cyber resilience. The report was produced in collaboration with ISTARI, a cybersecurity company owned by Temasek, and draws on interviews with CISOs, board directors, regulators and policymakers across sectors and geographies. Cambridge said the problem now reaches company finances and reputation as well as technology operations. ### How has the CISO job changed, according to Cambridge? The Cambridge report said the CISO role has moved from a mostly technology-focused post to one requiring a strategic business leader whose duties affect “every aspect of the firm.” The report’s table of contents points to a broader mandate that includes supply-chain and third-party risk, human factors and culture, regulatory and liability pressures, and evolving operating models. (jbs.cam.ac.uk) Simon Learmount said the report found a widening gap between what organizations expect from CISOs and the structures, skills and support available to them. Cambridge said that gap includes a lack of full buy-in from boards of directors, even as cybersecurity has moved from the back office to the boardroom. IANS Research, in a separate 2026 survey of more than 600 security leaders, described a similar pattern. (jbs.cam.ac.uk) Its snapshot report said CISOs have more influence than before but face a scope that is becoming harder to control, and it called the role a “critical paradox” of rising status and growing strain. ### What does Cambridge say is breaking down inside companies? (jbs.cam.ac.uk) Cambridge said boards and cyber leaders often lack a shared language on risk, oversight and success measures. The report said CISOs and directors may sit in the same meetings while “not be speaking the same language or measuring success by the same yardsticks.” (iansresearch.com) Learmount said the most striking finding from the interviews was not how much CISOs knew, but how little of that knowledge reached the people legally responsible for the consequences. He called that shortfall “a governance failure” and said boards had little time left to fix it. The report also called for targeted training and development in cybersecurity governance for boards, CISOs and other organizational actors with cyber responsibilities. (jbs.cam.ac.uk) Cambridge said the need for training emerged repeatedly in both interviews and the literature reviewed for the study. ### Which pressures are making the role harder to sustain? (jbs.cam.ac.uk) The report said cyber risk now sits alongside legal exposure, third-party dependencies and new technology risks. Cambridge linked the timing of the study to recent claims by Anthropic that its Claude Mythos model can perform some hacking and cybersecurity functions better than humans, adding to concerns over corporate cybersecurity. (jbs.cam.ac.uk) The report’s framework also highlights post-Covid perimeter changes, including remote work, cloud sprawl and device management, as well as heavier expectations around vendor oversight and multidisciplinary teams. Those issues have pushed the CISO role deeper into enterprise governance rather than leaving it as a narrow IT function. (jbs.cam.ac.uk) ISTARI’s public materials describe cybersecurity as a business-critical risk and say the company’s education and advisory work is built around cyber resilience as an organizational issue. That framing aligns with the Cambridge report’s focus on governance and leadership rather than only technical controls. ### Why did Cambridge tie the warning to board accountability? (jbs.cam.ac.uk) Cambridge cited recent cyber incidents at major British companies to show the scale of operational and financial fallout. The school said attacks in the past year hit Marks & Spencer, costing more than 300 million pounds in lost profit and wiping 750 million pounds from its market capitalization, while Jaguar Land Rover suffered a five-week production shutdown that disrupted operations across 5,000 businesses in its supply chain and caused 1.9 billion pounds in economic damage. (istari-global.com) The report said those cases show why cyber oversight can no longer be left to one overstretched executive. Cambridge’s recommendation was that boards pay urgent attention to how cyber responsibilities are structured and whether the role design still matches the scope of the risk. ### Where does the research go from here? (jbs.cam.ac.uk) Cambridge published the full report, “Beyond the Firewall,” on May 13 on the business school’s website. ISTARI has also tied the research to its education and events program, including a launch webinar for the report and a June 3-4 COMPASS Summit in London focused on resilience in what it calls the “exponential age.” (jbs.cam.ac.uk)