The CISO’s Role Is Rapidly Changing

John White is the Field CISO for EMEA at Torq. A respected security executive with more than 20 years of leadership experience, John previously served as CISO at Virgin Atlantic, where he led a multi-year transformation deploying the Torq AI SOC Platform to modernize cyber operations. Prior to that, he built and transformed security functions for global organizations, including ASOS, Liberty Global, AEG Europe, and KPMG.

AI isn’t just reshaping the threat landscape or how we defend against attacks; it’s redefining what leadership in security looks like. The CISO of the near future is less a chief technologist and more a strategic architect of business outcomes, designing human-machine teams that reimagine the target operating model in response to both risk and opportunity.

I want to dwell on that last word for a moment. Opportunity. We talk endlessly about risk in this industry, and for good reason. But we don’t talk nearly enough about the opportunity sitting right in front of us. For the first time in my career, CISOs have an enabler that can take a strategic vision from concept to operations, end-to-end, faster and more securely than ever before. That’s not a risk to manage. That’s an extraordinary moment to seize.

This piece is about what that means in practice for CISOs — for the role, for the skills we need to develop, and for the mindset we need to let go of. Some of it I’ve learned from watching the industry shift in real time. Some of it I’ve learned the hard way in the trenches. And some of it I’ve only realized after stepping out of an operational role and gaining an outside perspective as what I call “a recovering CISO.

What Does “Strategic Architect” Actually Mean?

There have been lots of technology waves in security — on-prem to cloud, SaaS, zero trust. Each one changed how we worked. But the AI wave is different in kind, not just degree. Quantum will have its own impact, but AI does something quantum doesn’t: it builds things for you. That’s a fundamentally different proposition for a CISO.

Historically, you put together your strategy — risk reduction targets, maturity gains — and executed it over a steady two- or three-year change program. You needed armies of people with specific skill sets. The gap between strategic intent and operational reality was measured in months, sometimes years.

Agentic AI is closing that gap.

With the right AI tooling, CISOs can articulate intent in natural language and have autonomous systems build, deploy, and iterate the operational response. Auto-triage events. Enrich and prioritize cases. Investigate and resolve incidents. What once took months now takes days or hours. And the kicker: you no longer need to depend on large teams of skilled resources to deliver it.

The day-to-day changes fundamentally. It’s no longer about managing activity. It’s about leading agentically — articulating intent, shaping outcomes, and building an organization capable of autonomous, agile execution.

Gone are the days of long, rigid three-year plans. The model is shifting: agree on an outcome, execute over a short sprint, come back to senior leadership with what you’ve built, review together, iterate, and go again. It’s a product lifecycle, not a security program. CISOs are becoming more product-focused, more like marketers, constantly selling a vision and delivering it in pieces.

The greatest skill a CISO can develop right now is the ability to articulate intent clearly and pivot fast. Everything else follows from that.

Two Starting Points, One Destination

I’ve worked on both sides of the Atlantic, and the regional differences in how CISOs are approaching this shift are real:

• U.S. CISOs have typically had greater freedom to experiment — with higher risk tolerance, faster technology adoption, and earlier moves toward automation-first models. They try things, swap them out if they don’t stick, and move on. Less governance bureaucracy, more speed.
• In EMEA, the starting point has been different. Regulation, data protection, and supervisory scrutiny drive a more cautious, governance-first mindset. CISOs there prioritize control and defensibility before innovation. Investments are more measured. The instinct is to get it right the first time and maximize the return on every dollar spent.

Neither approach is better. They’re different responses to different environments.

But AI is forcing convergence. U.S. leaders are realizing that agentic security without strong governance doesn’t scale safely. EMEA CISOs are recognizing that manual, people-heavy models can’t meet regulatory expectations at speed or scale. Automation is no longer optional; it’s becoming a prerequisite for compliance, resilience, and cost control.

The result is a shared destination from different starting points: security organizations that are outcome-driven, automated by default, and governed by design. The U.S. needs to think harder about governance. EMEA needs to shift from resilience-first to bolder, more innovative moves. Both are on the same journey.

The Skills Nobody Trained Us For

If I were mentoring someone who wants to be a CISO in five years, here’s what I’d tell them. And almost none of it maps to traditional career development.

First of all, don’t become a CISO. I’m joking. Mostly.

Agentic and AI systems literacy is non-negotiable. You need to be genuinely literate in the agentic world, not just aware of it. Keep up with emerging technologies, understand how things are being built, and know the movers and shakers. If you don’t understand how agentic systems work, you can’t re-architect a target operating model around them. You need enough depth to be an intelligent buyer, governor, and architect, even if you’re not building.

Product ownership mentality over technical depth. Think like a product owner, not a program manager. Shorter cycles, continuous iteration, outcome-based delivery. Think unified platform, not individual tools in silos. You can’t have silos of people and silos of tools and expect it to scale. The security organization of the future is a platform that integrates your existing stack while automating tasks that would otherwise require human intervention — which is exactly what the 2026 AI SOC Leadership Report found that 85% of today’s security leaders want: a unified, end-to-end AI SOC platform.

The ability to articulate intent and translate it into business outcomes. This surprises people the most. You no longer need deep technical knowledge to be an effective CISO. What you absolutely need is the ability to define what success looks like, communicate it in terms the board understands, and evangelize it across the organization. The modern CISO is more of a marketer than an engineer. You need a vision, and you need to keep selling it as you deliver it piece by piece.

Governance of autonomous workforces. As we create machine identities with real authority — for containment decisions, incident resolution, and workflow execution — we need governance models for them. How do hybrid human-machine teams operate? Who’s accountable when the machine gets it wrong? These are questions we were never trained for, and we need to start answering them now.

What I Had to Unlearn

I describe myself as a “recovering CISO.” That’s not a punchline; it’s an honest acknowledgment of what stepping away from 20-plus years of operational readiness actually feels like.

As CISOs, we like to keep a very tight grip on things. If we’ve got a grip, we can control it. Control means protection. That instinct gets deeply wired in. The phone rings at 3am and you’re already running through the response before you’re fully awake. Working weekends becomes normal. Getting pulled into every significant incident, every escalation? That’s just the job.

That constant readiness is hard to shake off. Even now, I catch myself with the operational muscle memory — the reflex to want to be in the room, the discomfort of not knowing exactly what’s happening on the front line. That’s why I call it ‘recovering’. I’m still pulling away.

But the distance has given me something valuable: the headspace to think about what security leadership actually means when you’re not drowning in operational noise. And what I see clearly now is that the tight operational grip, as much as it felt like protection, is also what holds CISOs back.

With autonomous and agentic delivery, we need to get comfortable releasing that grip and letting machine-led execution take its place. That’s not losing control. It’s reallocating where human judgment adds the most value. The machine handles execution. Humans handle intent, governance, and contextual judgment that AI can’t replicate.

CISOs still in the role will need to make the same mindset shift without the luxury of stepping back to reflect. The ones who do it well will thrive. The ones who stay stuck in their ways will be in survival mode.

The Pivot That Changes Everything

Ultimately, everything comes down to one fundamental shift — from controls to outcomes.

Think about how we’ve historically measured success. Risk scores. Maturity assessments. Compliance certifications. Patch percentages. These are measures of activity and operational hygiene. They’re not useless, but they’re no longer sufficient.

There’s a new target operating model built on three distinct layers: 

1. Outcomes: What the organization is trying to achieve, in business terms
2. Execution: Where automated and agentic capabilities deliver at scale, at machine speed
3. Judgment: Where human oversight, context, and accountability are applied where they genuinely matter

When you design this model properly, the things CISOs have always cared about become byproducts. Risk reduces, compliance follows, maturity improves. Not as the sole focus, but as the natural consequence of building something that actually works at the speed the threat landscape demands.

We need to rethink what success looks like. Not the next rung up the maturity ladder. Not the next compliance certification. But have we equipped the organization with a platform that can address future threats faster than before? Are we agile enough to adapt when the landscape shifts again… which it will?

Maintaining the norm is not an option. No one is going to thank you for a clean compliance scorecard if you’ve been hit by a machine-speed attack and couldn’t respond because you hadn’t built a machine-speed defense.

The CISO role is changing. Not incrementally but fundamentally. The question isn’t whether it will change. It’s whether you’ll change with it.

Want the data behind the shift? 450 security leaders weighed in.