Beyond IT: How CISOs Can Shape Business Processes Through Cross-Functional Thinking
Cybersecurity is still too often misunderstood as an IT discipline
By Eckhart Mehler for CISOsCISO — a perspective on cybersecurity leadership, governance and the decisions that determine whether organizations retain control.
This misunderstanding is convenient.
It allows executives to delegate uncomfortable questions to technical teams. It allows business units to treat security as an external control function. It allows projects to move forward until someone asks, usually too late, whether the system is secure, compliant, resilient, auditable, or fit for the risk environment in which the organization actually operates.
But cybersecurity is no longer something that happens after business decisions have been made.
It is part of how those decisions must be shaped.
A modern CISO who remains confined to IT will always arrive too late. The architecture will already be chosen. The supplier will already be contracted. The data flow will already be designed. The business process will already be implemented. The cloud platform will already be live. The AI use case will already be in production. The exception will already be normalized.
At that point, security becomes expensive friction.
Not because security is inherently slow.
But because it was invited too late.
The real opportunity for the CISO is not to block business processes from the outside. It is to help design them from the inside.
This requires a cross-functional mindset.
And it requires the organization to understand that security is not merely a technical safeguard. It is a condition for trust, resilience, continuity, legal defensibility, and sustainable digital transformation.
The Old Model Is No Longer Enough
The traditional model of cybersecurity assumed a relatively clear boundary.
The business defined what it wanted.
IT implemented the systems.
Security reviewed, protected, monitored, and responded.
That model may have worked in simpler environments. It does not work well in organizations shaped by cloud platforms, SaaS ecosystems, global supply chains, distributed workforces, AI tools, complex regulatory obligations, and business processes that are deeply dependent on data.
Today, almost every business decision has a security dimension.
Selecting a supplier creates third-party risk.
Launching a digital service creates identity, data protection, logging, and resilience requirements.
Using artificial intelligence creates confidentiality, integrity, explainability, governance, and accountability questions.
Moving to cloud platforms creates dependency, sovereignty, backup, access, monitoring, and exit risks.
Changing HR processes affects identity lifecycle, access rights, insider risk, and employee data protection.
Redesigning procurement affects contractual security obligations and supplier assurance.
Changing finance processes affects fraud risk, segregation of duties, auditability, and privileged access.
The idea that cybersecurity can be added later is one of the most expensive illusions in modern business.
The CISO must challenge that illusion.
Security as a Business Design Function
A mature CISO does not ask only whether a system is secure.
They ask whether the business process itself has been designed in a way that can be secured.
That distinction matters.
A poorly designed process cannot always be fixed by controls. If responsibilities are unclear, data ownership is undefined, supplier obligations are weak, access rights are excessive, logging is incomplete, and risk acceptance is informal, technology alone will not create security.
Security must be designed into the process.
This means asking early:
What data is processed?
Who owns it?
Who needs access?
Which decisions depend on its integrity?
Which systems are critical?
Which suppliers are involved?
Which legal obligations apply?
How is abuse detected?
How is resilience ensured?
How are exceptions approved?
What evidence would we need after an incident or audit?
These are not purely technical questions.
They are business design questions.
And the CISO has to be present when they are answered.
From Risk Preventer to Value Creator
Many organizations still frame the CISO as a risk preventer.
That role is important. Some risks must be prevented. Some practices must be stopped. Some decisions must be challenged. Some security requirements must be non-negotiable.
But if the CISO is only perceived as the person who says “no,” the organization will learn to avoid them.
Security will be escalated late.
Projects will search for shortcuts.
Business units will treat security as a compliance obstacle.
IT will optimize for delivery and only involve the CISO when approval is unavoidable.
The strategic CISO must change this dynamic.
The goal is not to become less demanding.
The goal is to become useful earlier.
A value-creating CISO helps the organization move faster by reducing uncertainty. They define minimum security requirements before procurement begins. They embed risk criteria into project governance. They create reusable patterns for cloud, AI, identity, data protection, and supplier security. They help business units understand what secure adoption looks like before expensive mistakes are made.
Security then becomes an accelerator.
Not because every requirement disappears.
But because the organization knows the rules before it starts building.
Security by Design Is a Leadership Principle
Security by Design is often discussed as a technical method.
It is more than that.
It is a leadership principle.
It means security is considered at the point where decisions are still flexible, costs are still manageable, and architecture can still be shaped.
In product development, this may mean threat modeling before implementation, secure coding standards, dependency management, vulnerability testing, logging requirements, and abuse-case analysis.
In procurement, it may mean supplier security questionnaires, contractual security clauses, data protection reviews, incident notification obligations, audit rights, encryption requirements, subprocessor transparency, and exit provisions.
In HR, it may mean secure onboarding, role-based access, background checks where appropriate, awareness programs, joiner-mover-leaver processes, and clear handling of sensitive employee data.
In finance, it may mean segregation of duties, fraud detection, privileged access controls, payment approval workflows, and monitoring of unusual transactions.
In operations, it may mean resilience planning, fallback processes, secure remote access, vendor dependency analysis, and crisis procedures.
In AI adoption, it may mean data classification, prompt governance, model risk assessment, human oversight, logging, acceptable use rules, and protection against leakage or manipulation.
Security by Design means the CISO is not waiting at the gate.
The CISO helps shape the road.
Why Cross-Functional Thinking Is Now Essential
Cybersecurity risk rarely respects organizational charts.
A ransomware incident may start with a phishing email, exploit weak identity controls, spread through unmanaged systems, disrupt operations, trigger legal notification duties, affect customers, create media pressure, and expose weaknesses in supplier contracts.
No single function can manage that alone.
The same is true for many modern security challenges.
Data leakage may involve IT, HR, legal, compliance, privacy, communications, and business process owners.
Cloud risk may involve architecture, procurement, finance, legal, operations, data protection, and enterprise risk management.
AI risk may involve innovation teams, legal, ethics, data governance, HR, security, and executive leadership.
Supply chain security may involve procurement, vendor management, legal, architecture, operations, and business continuity.
This is why the CISO must become a cross-functional leader.
Not to take ownership away from others.
But to create shared accountability where risk actually arises.
Working with Finance
Finance is one of the most important partners for the CISO.
Security investments compete with other business priorities. Without financial literacy, the CISO may present valid risks but fail to influence investment decisions.
The conversation with finance should not be limited to budget requests.
It should include risk quantification, cost of delay, fraud exposure, resilience investment, cyber insurance implications, audit findings, regulatory penalties, and the business impact of outages or data loss.
The CISO should help finance understand that some security investments are not discretionary technology costs. They are risk treatment decisions.
At the same time, finance can help the CISO sharpen investment logic.
Which controls reduce the most relevant risks?
Which risks justify immediate spending?
Which investments can be phased?
Where are we paying for tools without achieving capability?
Where are we accepting exposure without explicit management decision?
A strong relationship with finance makes cybersecurity more credible.
It turns security from a cost center into a disciplined risk investment.
Working with Legal and Compliance
Legal and compliance functions are natural partners, but the relationship must be carefully balanced.
Cybersecurity should not be reduced to compliance.
Yet legal obligations matter deeply.
Data protection, breach notification, sector regulation, contractual liability, outsourcing requirements, audit obligations, records retention, and cross-border data transfers all shape security decisions.
The CISO needs legal and compliance partners who can help interpret obligations. But the CISO must also ensure that compliance interpretation does not become a substitute for technical and organizational adequacy.
A system can be documented and still insecure.
A contract can contain security clauses and still be operationally weak.
A risk can be formally accepted and still be strategically irresponsible.
The cross-functional value emerges when legal, compliance, and cybersecurity work together to answer a stronger question:
What must we be able to defend — legally, technically, operationally, and ethically — if something goes wrong?
Working with Human Resources
HR is often underestimated in cybersecurity.
That is a mistake.
People risk is not only about awareness training. HR processes shape access, culture, insider risk, onboarding, offboarding, role changes, disciplinary processes, leadership behavior, and employee trust.
A weak joiner-mover-leaver process can create excessive access.
A poor offboarding process can leave accounts active.
A toxic culture can suppress incident reporting.
Unclear policies can create unsafe behavior.
Insufficient leadership training can undermine security culture.
A strong CISO-HR partnership can improve security significantly.
Together, they can design onboarding programs, role-based training, leadership awareness, phishing resilience, insider risk procedures, secure remote work practices, and escalation cultures where employees report mistakes early rather than hide them.
Cybersecurity culture is not created by the security team alone.
It is shaped by how the organization manages people.
Working with Procurement and Supply Chain
Procurement is one of the most powerful security control points in the enterprise.
Many risks enter the organization through suppliers, platforms, SaaS tools, consultants, outsourcing arrangements, and technology partners.
If security is not embedded into procurement, the CISO will spend years managing risks that could have been addressed before the contract was signed.
The procurement process should include minimum security requirements, risk-based supplier classification, data processing reviews, assurance obligations, incident notification timelines, access controls, audit rights, subcontractor transparency, resilience expectations, and exit clauses.
The CISO does not need to own procurement.
But the CISO must help design procurement rules that prevent unacceptable exposure.
This is especially important in organizations with cloud-first strategies, global operations, sensitive data, and strong dependency on external providers.
Supplier risk is not an administrative category.
It is part of the organization’s attack surface.
Working with Sales, Communications, and Customer-Facing Functions
Cybersecurity is increasingly part of trust.
Customers, partners, donors, regulators, and the public want to know whether organizations can protect data and operate responsibly.
In some sectors, strong security can become a competitive advantage. In others, weak security can quickly damage reputation and legitimacy.
The CISO should work with sales, communications, and customer-facing teams to ensure that security claims are accurate, defensible, and aligned with real capabilities.
Overstating security maturity is dangerous.
Undercommunicating genuine security strength is a missed opportunity.
The right approach is disciplined transparency.
What standards do we follow?
What assurances can we provide?
How do we protect sensitive data?
How do we handle incidents?
How do we assess suppliers?
How do we govern AI?
What evidence supports our claims?
In a trust-based economy, cybersecurity becomes part of the organizational narrative.
The CISO helps ensure that narrative is true.
Working with Operations
Operations often carry the real-world impact of cyber risk.
When systems fail, operations suffer.
When ransomware spreads, services stop.
When identity systems are unavailable, work slows down.
When suppliers fail, delivery chains break.
When backup and recovery assumptions are wrong, the business discovers that resilience existed only on paper.
The CISO must understand operational realities.
Which processes are truly critical?
Which manual fallbacks exist?
Which systems have hidden dependencies?
Which local teams operate outside standard IT?
Which operational technologies are difficult to patch?
Which business units cannot tolerate downtime?
Which resilience assumptions have never been tested?
Cybersecurity strategy that ignores operations becomes theoretical.
Operational resilience requires the CISO to work closely with those who understand how the organization actually functions under stress.
The CISO in Transformation Programs
Major transformation programs are where cross-functional CISO influence becomes most important.
Cloud migrations, ERP transformations, AI deployments, digital workplace programs, identity modernization, data governance initiatives, and platform consolidations reshape the organization’s risk profile for years.
If the CISO is involved only as a reviewer, the organization loses value.
The CISO should be involved as a design partner.
This means contributing early to architecture principles, risk criteria, access models, logging requirements, data classification, supplier governance, resilience objectives, compliance obligations, and operational handover.
Transformation programs often create long-term dependencies.
They also create moments where old weaknesses can either be removed or institutionalized.
The CISO must help ensure that transformation does not simply digitize yesterday’s risk.
The Danger of Late Security
Late security is expensive.
It creates rework.
It delays approvals.
It frustrates business units.
It creates conflict between project teams and security teams.
It encourages exceptions.
It leads to compensating controls that are weaker than proper design.
It creates the false impression that security is slowing the business, when in reality security was not included when speed was still possible.
This is one of the most important messages CISOs must communicate.
Security is fastest when it is early.
When requirements are known at the start, teams can design around them. When risks are identified early, options exist. When suppliers know expectations before contracts are signed, negotiation is possible. When data flows are understood before implementation, privacy and security can be built in.
Late security is not only inefficient.
It is a governance failure.
Building Shared Accountability
A cross-functional security model must not mean that the CISO owns every risk.
That would be impossible and unhealthy.
The CISO enables, advises, challenges, and monitors. But business owners must own the risks created by their processes. IT must own technical implementation. Procurement must own supplier governance processes. HR must own people processes. Legal must own legal interpretation. Compliance must own compliance frameworks. Executive leadership must own risk appetite and strategic decisions.
The CISO’s role is to make this accountability visible.
Who owns the process?
Who owns the data?
Who owns the system?
Who accepts the residual risk?
Who funds the treatment?
Who monitors effectiveness?
Who reports escalation?
Without clear ownership, cybersecurity becomes a dumping ground for unresolved organizational decisions.
That is not security governance.
It is avoidance.
Communicating Like a Business Leader
To shape business processes, CISOs must communicate differently.
Technical precision remains important, but it must be connected to business relevance.
Instead of saying, “We need stronger access controls,” the CISO should explain where excessive access creates fraud, data leakage, operational, or compliance risk.
Instead of saying, “The supplier does not meet our security standard,” the CISO should explain which contractual, operational, or resilience exposure this creates.
Instead of saying, “This system lacks logging,” the CISO should explain what the organization will be unable to detect, investigate, or prove after an incident.
Instead of saying, “Security must approve this project,” the CISO should explain which decisions require risk ownership before go-live.
This is not simplifying security to make it less serious.
It is translating security so that serious decisions can be made.
The CISO as Integrator
The modern CISO is not only a defender.
The CISO is an integrator.
They connect technology with risk.
Risk with governance.
Governance with accountability.
Accountability with business decisions.
Business decisions with trust.
This integration role is uncomfortable because it crosses organizational boundaries. It may challenge established ownership models. It may expose contradictions between strategy and execution. It may reveal that certain risks were accepted by default rather than by decision.
But that is precisely why the role matters.
The CISO sees patterns that individual functions may not see.
They see how a procurement shortcut becomes a cloud risk.
How a weak HR process becomes an identity risk.
How a missing data governance model becomes an AI risk.
How a delayed backup decision becomes a resilience risk.
How a technical exception becomes a board-level question after an incident.
This pattern recognition is one of the strongest contributions a CISO can make.
A Practical Model for Cross-Functional CISO Influence
CISOs who want to strengthen cross-functional influence can begin with a simple model.
First, identify the business processes where security risk is created early. Procurement, product development, cloud adoption, AI use cases, HR lifecycle processes, finance workflows, supplier onboarding, and transformation programs are typical examples.
Second, define minimum security requirements for each process. These requirements should be clear, practical, and risk-based.
Third, embed security checkpoints into existing governance rather than creating parallel bureaucracy. Architecture boards, procurement workflows, project gates, risk committees, data protection reviews, and change processes can become security integration points.
Fourth, assign ownership. Make clear who owns the business process, who owns the system, who owns the data, who implements controls, and who accepts residual risk.
Fifth, provide reusable guidance. Templates, patterns, checklists, decision trees, and approved architectures help the business move faster.
Sixth, measure whether security is involved early enough. Late findings are not only project problems; they are indicators of governance weakness.
Seventh, report cross-functional risks to executive leadership in business language.
This model does not require the CISO to control everything.
It requires the CISO to make security part of how the organization works.
Final Reflection
Cybersecurity has moved beyond IT.
But many organizations have not fully adjusted their governance, language, or leadership expectations.
They still involve security too late.
They still treat the CISO as a technical reviewer.
They still separate business design from security consequence.
They still believe that controls can be added after decisions have already become reality.
This is no longer enough.
The modern CISO must help shape business processes before they become security problems. They must work with finance, legal, HR, procurement, operations, communications, technology, compliance, privacy, and executive leadership. They must translate risk into decisions. They must embed security into transformation. They must make accountability visible.
This is not mission creep.
It is the natural evolution of cybersecurity leadership.
Because in a digital organization, security is not outside the business.
Security is one of the ways the business becomes trustworthy, resilient, and capable of acting with confidence.
The CISO who understands this will not wait to be invited at the end.
They will build the relationships, governance mechanisms, and language required to be present at the beginning.
That is where cybersecurity creates its greatest value.
Not by slowing the business down.
But by helping it move forward without losing control.
Publication Note & Disclaimer
This article was originally published on LinkedIn on February 12, 2025 and may have been edited or updated for publication on this site.
It reflects my personal professional perspective and does not represent the official policy or position of my employer. Drafting and editorial refinement may have been supported by commercially available AI-assisted tools. The analysis, conclusions and final curation are entirely my own.
For information regarding image credits, copyrights, trademarks and other intellectual property rights, please refer to the Imprint.
Member discussion