A survey of 1,031 CISOs finds that cybersecurity leaders are paradoxically getting more comfortable with current levels of risks at a time when CEOs may be finally becoming more cautious.

Conducted by the market research firm Censuswide on behalf of Netskope, a provider of a suite of cybersecurity platforms, the survey finds only 16% of CISOs claim they have a low appetite for risk, compared to (32%) that perceive the CEO they work for having a low-risk appetite. Over half of the CISOs (57%) said their appetite for risk has increased in the last five years, with 59% now classifying themselves as business enablers.

Access to better access to data and analytics (76%) was the top reason for their shift in risk appetite, followed closely by first-hand experience (74%).

CISO Role is Changing

Additionally, more than two-thirds (67%) said they want to play an even more active role as a business enabler in the future, the survey finds. Two-thirds of CISOs (65%) now describe their responsibility in improving business resilience rather than specifically managing cyber risk. An equal percentage notes that the CISO role is changing rapidly as it becomes more proactive and progressive. Only 36% see themselves playing a “protector” role primarily focused on defending the organization.

Netskope Field CTO Steve Riley said that the survey makes it clear that modern CISOs have moved well beyond being the “office of no” so long as they are made aware of initiatives early enough to provide guidance. For example, two-thirds (66%) wish they could say “yes” to the business more often.

The irony is the rest of the C-suite is becoming more cautious as appreciation for cybersecurity risk continues to elevate, noted Riley. It’s not clear to what degree those concerns are connected to changes in compensation, which might include changes to bonus structures based on cybersecurity outcomes.

Both camps may finally be moving toward a middle ground, but tensions still exist. The survey, for example, finds two-thirds of CISOs (66%) said they are “walking a tightrope” between what the business wants and what makes sense from a security perspective. A full 92% said conflicting risk appetites between them and other members of the C-suite still create tension, with nearly two-thirds (65%) noting other members of the C-suite fail to see that the CISO role makes innovation possible.

A total of 62% said they no longer want to be pigeonholed as the “bringer of bad news” in their companies.

On the plus side, more than half (55%) said that they believe a zero-trust approach will enable them to balance conflicting priorities better, and that it will enable their organization to achieve key goals like moving faster (59%) and encouraging innovation (58%). A full 58% said their executive teams and boards are asking about zero trust.

However, only 44% have adopted zero-trust principles today and just under half (48%) said they do not know where to start their zero-trust journey.

It’s clear there is a long way to go before CISOs turn all their aspirations into everyday reality, however, it’s increasingly apparent the next generation of cybersecurity leaders is very much a different breed.